Shibboleth (Internet2)

From Wikipedia, the free encyclopedia

Shibboleth is an Internet2 Middleware Initiative project that has created an architecture and open-source implementation for federated identity-based authentication and authorization infrastructure based on SAML. Federated identity allows for information about users in one security domain to be provided to other organizations in a common federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. Identity providers (IdP's) supply user information, while service providers (SP's) consume this information and gate access to secure content.

Contents 1 Architecture 2 Attributes 3 Trust 4 Development 5 Adoption 6 References 7 External links 7.1 Federations

[edit] Architecture

Shibboleth implements the HTTP/POST, artifact, and attribute push profiles of SAML, including both Identity Provider (IdP) and Service Provider (SP) components.

Shibboleth 1.3 and earlier do not provide a built-in authentication mechanism, but any web-based authentication mechanism can be used to supply user data for Shibboleth to use. Common systems for this purpose include CAS or Pubcookie. The authentication/SSO features of the Java container in which the IdP runs (Tomcat, for example), can also be used.

[edit] Attributes

Shibboleth's access control is performed by matching attributes supplied by IdPs against rules defined by SPs. An attribute is any atom of information about a user, such as "member of this community", "Alice Smith", or "licensed under contract A". User identity is considered an attribute, and is only passed when explicitly required, which preserves user privacy. Attributes can be written in Java or pulled from directories and databases. Standard X.520 attributes are most commonly used, but new attributes can be arbitrarily defined as long as they are understood and interpreted similarly by the IdP and SP in a transaction.

[edit] Trust

Trust between domains is implemented using public key cryptography (often simply SSL server certificates) and metadata that describes providers. The use of information passed is controlled through agreements. Federations are often used to simplify these relationships by aggregating large numbers of providers that agree to use common rules and contracts.

[edit] Development

Shibboleth is open-source and provided under the Apache 2 license. Many extensions such as SHARPE and GridShib have been contributed by other groups. The project started in 2000 and the first code was released in 2002.

[edit] Adoption

In February 2006 the Joint Information Systems Committee (JISC) of the Higher Education Funding Council for England announced that they will be moving from the Athens authentication system to an access-management system based on Shibboleth technology.^[1] Since then they have updated their position and are endorsing a federated access management solution rather than Shibboleth itself

[edit] References

1. ^ JISC announces the development of a new access-management system for the UK. Joint Information Systems Committee. Retrieved on 2006-07-19.

[edit] External links

• Official Shibboleth home page
• Official Shibboleth Wiki
• TestShib testing facility

[edit] Federations

• Haka, Finland
• InCommon, USA
• InQueue, for testing only
• K.U.Leuven, Belgium
• MAMS, Australia
• UK Access Management Federation for Education and Research, UK
• SDSS, UK
• SWITCHaai, Switzerland
• CRU, France