HOME

TheInfoList



Click Here for Items Related To - Shibboleth Single Sign-on Architecture
OR:
Shibboleth Single Sign-on Architecture on:   [Wikipedia]   [Google]   [Amazon]

Shibboleth is a single sign-on log-in system for computer networks and the
Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...
. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations. The Shibboleth
Internet2 Internet2 is a not-for-profit United States computer network A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must ...
middleware Middleware is a type of computer software program that provides services to software applications beyond those available from the operating system. It can be described as "software glue". Middleware makes it easier for software developers to imple ...
initiative created an
architecture Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and construction, constructi ...
and
open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...
implementation for
identity management Identity and access management (IAM or IdAM) or Identity management (IdM), is a framework of policies and technologies to ensure that the right users (that are part of the ecosystem connected to or within an enterprise) have the appropriate acce ...
and
federated identity A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. Federated identity is related to single sign-on (SSO), in which a ...
-based
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
and
authorization Authorization or authorisation (see American and British English spelling differences#-ise, -ize (-isation, -ization), spelling differences), in information security, computer security and identity management, IAM (Identity and Access Managemen ...
(or
access control In physical security and information security, access control (AC) is the action of deciding whether a subject should be granted or denied access to an object (for example, a place or a resource). The act of ''accessing'' may mean consuming ...
) infrastructure based on
Security Assertion Markup Language Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based ...
(SAML). Federated identity allows the sharing of information about users from one security domain to the other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.


History

The Shibboleth project grew out of Internet2. Today, the project is managed by the Shibboleth Consortium. Two of the most popular software components managed by the Shibboleth Consortium are the Shibboleth Identity Provider and the Shibboleth Service Provider, both of which are implementations of
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (SAML), identity provider and a service provid ...
. The project was named after an identifying passphrase used in the
Bible The Bible is a collection of religious texts that are central to Christianity and Judaism, and esteemed in other Abrahamic religions such as Islam. The Bible is an anthology (a compilation of texts of a variety of forms) originally writt ...
( Judges ) because Ephraimites were not able to pronounce "sh". The Shibboleth project was started in 2000 to facilitate the sharing of resources between organizations with incompatible authentication and authorization infrastructures. Architectural work was performed for over a year prior to any software development. After development and testing, Shibboleth IdP 1.0 was released in July 2003. This was followed by the release of Shibboleth IdP 1.3 in August 2005. Version 2.0 of the Shibboleth software was a major upgrade released in March 2008. It included both IdP and SP components, but, more importantly, Shibboleth 2.0 supported SAML 2.0. The Shibboleth and SAML protocols were developed during the same timeframe. From the beginning, Shibboleth was based on SAML, but, where SAML was found lacking, Shibboleth improvised, and the Shibboleth developers implemented features that compensated for missing features in SAML 1.1. Some of these features were later incorporated into
SAML 2.0 Security Assertion Markup Language (SAML) 2.0 is a version of the Security Assertion Markup Language, SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based communications ...
, and, in that sense, Shibboleth contributed to the evolution of the SAML protocol. Perhaps the most important contributed feature was the legacy Shibboleth AuthnRequest protocol. Since the SAML 1.1 protocol was inherently an IdP-first protocol, Shibboleth invented a simple HTTP-based authentication request protocol that turned SAML 1.1 into an SP-first protocol. This protocol was first implemented in Shibboleth IdP 1.0 and later refined in Shibboleth IdP 1.3. Building on that early work, the
Liberty Alliance The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems. It grew to more than 150 organizations, including technology vendors, c ...
introduced a fully expanded AuthnRequest protocol into the Liberty Identity Federation Framework. Eventually, Liberty ID-FF 1.2 was contributed to OASIS, which formed the basis for the OASIS SAML 2.0 Standard.


Architecture

Shibboleth is a web-based technology that implements the artifact and attribute push profiles of
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (SAML), identity provider and a service provid ...
, including both Identity Provider (IdP) and Service Provider (SP) components. Shibboleth 1.3 has its own technical overview, architectural document, and conformance document that build on top of the SAML 1.1 specifications.


Shibboleth 1.3

In the canonical use case: # A user first accesses a resource hosted by a web server (the service provider) that has Shibboleth content protection enabled. # The SP crafts a proprietary authentication request that is passed through the browser using URL query parameters to supply the requester's SAML entityID, the assertion consumption location, and optionally the end page to return the user to. # The user is redirected to either their home IdP or a WAYF (Where Are You From) service, where they select their home IdP for further redirection. # The user authenticates to an access control mechanism external to Shibboleth. # Shibboleth generates a SAML 1.1 authentication assertion with a temporary "handle" contained within it. This handle allows the IdP to recognize a request about a particular browser user as corresponding to the principal that authenticated earlier. # The user is POSTed to the assertion consumer service of the SP. The SP consumes the assertion and issues an AttributeQuery to the IdP's attribute service for attributes about that user, which may or may not include the user's identity. # The IdP sends an attribute assertion containing trusted information about the user to the SP. # The SP either makes an access control decision based on the attributes or supplies information to applications to make decisions themselves. Shibboleth supports a number of variations on this base case, including portal-style flows whereby the IdP mints an unsolicited assertion to be delivered in the initial access to the SP, and lazy session initiation, which allows an application to trigger content protection through a method of its choice as required. Shibboleth 1.3 and earlier do not provide a built-in
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...
mechanism, but any Web-based authentication mechanism can be used to supply user data for Shibboleth to use. Common systems for this purpose include CAS or Pubcookie. The authentication and single-sign-on features of the Java container in which the IdP runs (Tomcat, for example) can also be used.


Shibboleth 2.0

Shibboleth 2.0 builds on
SAML 2.0 Security Assertion Markup Language (SAML) 2.0 is a version of the Security Assertion Markup Language, SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based communications ...
standards. The IdP in Shibboleth 2.0 has to do additional processing in order to support passive and forced authentication requests in SAML 2.0. The SP can request a specific method of authentication from the IdP. Shibboleth 2.0 supports additional encryption capacity.


Attributes

Shibboleth's access control is performed by matching attributes supplied by IdPs against rules defined by SPs. An attribute is any piece of information about a user, such as "member of this community", "Alice Smith", or "licensed under contract A". User identity is considered an attribute, and is only passed when explicitly required, which preserves user privacy. Attributes can be written in Java or pulled from directories and databases. Standard X.520 attributes are most commonly used, but new attributes can be arbitrarily defined as long as they are understood and interpreted similarly by the IdP and SP in a transaction.


Trust

Trust between domains is implemented using public key cryptography (often simply TLS server certificates) and metadata that describes providers. The use of information passed is controlled through agreements. Federations are often used to simplify these relationships by aggregating large numbers of providers that agree to use common rules and contracts.


Development

Shibboleth is open-source and provided under the Apache 2 license. Many extensions have been contributed by other groups.


See also

*
OpenAthens OpenAthens is an identity and access management service, supplied by Jisc, a British not-for-profit information technology services company. Identity provider (IdP) organisations can keep usernames in the cloud, locally or both. Integration with ...


References


External links

* {{official website, https://www.shibboleth.net/ Federated identity Identity management initiative