Access and Identity Management - Eduserv AIM
Eduserv Background Image Go to main textInnovative Technology Services
Home
Athens
Chest
Web Solutions
Foundation
You are in :    Eduserv > AIM > What is Shibboleth? > How it works
In this section

How Shibboleth works

How Shibboleth works

Introduction

Shibboleth forms a part of an organisation's SSO environment for access to protected web resources. The Shibboleth component facilitates the exchange of authorisation and authentication information between organisations and resource providers. Shibboleth works in conjunction with an organisation's authentication system and user information databases and allows a resource provider to make authorisation decisions based on that information.


This document describes how the Shibboleth architecture operates, passing user attributes securely from an organisation to a resource provider.

Concepts

Reference software

The Shibboleth architecture and protocols are made available publicly; in addition the project provides reference software for organisations and resource providers under Open Source licence. Other versions of Shibboleth components are expected to be made available; the Athens Identity Manager (AthensIM) is one example.


Single sign-on

Many web-based applications have their own authentication system and each user of that application is issued with a username specifically for access to that system. Similarly owners of protected web sites issue usernames and passwords for access to their protected or subscribed resources. So a typical student is likely to have a username for access to the Library Catalogue, a username for access to local PCs, another username for access to the Virtual Learning Environment, and a username for access to academic research material like ISI's Web of Knowledge or Gale's InfoTrac.


This proliferation of usernames causes management effort for the organisation, confusion for the user and customer service effort to help the user. The purpose of a single sign-on system is twofold, to allow the same username to be used for access to many online resources and to allow the user to navigate from one resource to another without having to re-type the username and password.


The principal objective of Shibboleth is to allow an organisation to have a single set of usernames and passwords for access to all online resources, whether local or external, available to members of the organisation. The organisation is responsible for authenticating the user, by whatever means it deems appropriate; Shibboleth does not pre-ordain the method: it could be Kerberos, Novell iChain, http basic authentication, or X.509 certificates, indeed any web server based authentication method. Neither the authentication system nor the single sign-on system is provided by the Shibboleth reference software.


Standards

Shibboleth is based on open standards; this is essential to facilitate the adoption of the Shibboleth architecture in as many local and external resources as possible, and to build a single sign-on environment as large as possible. The actual standard used is the Security Assertion Mark-up Language (SAML), as ratified by Oasis.


Attributes

The organisation is responsible for providing attributes about each of its members such as member of department x, role of student or faculty, entitlement to restricted medical resources. The organisation also provides an Attribute Release Policy so that administrators can choose which attributes are released to which online resources. The reference software provides an Attribute Authority which can be used to retrieve attributes from various sources, such as LDAP Directories, databases and files.


Individual privacy

The architecture of Shibboleth enforces the concept of individual privacy, allowing users to have a one-time session identifier and no persistent identity visible outside the organisation.


Individual privacy is also enforced by the concept of the Attribute Release policy which is designed to allow the user to restrict the release of attributes to third parties. Management interfaces to enforce the Attribute Release Policy are not yet available.


Federation

This is a set of organisations and resources which agree to work together within a given set of policies, governance and legal agreements.

The federation provides a list of participating organisations, with details of the registered Shibboleth components for that organisation. This is made available to users wishing to access resources registered with the federation, to allow them to navigate to their home organisation for authentication and the provision of authorisation information. This list is known as the Where Are You From (WAYF) service.


Service Provider

The online resource is responsible for determining whether a user is entitled to access the resource, using attribute information supplied by the user's home organisation.


The Service Provider is also responsible for publicising details of attributes required for access to each resource, enabling users to prepare themselves for access to the resource.


Elements of the architecture

The organisation is known as the Identity Provider and provides:

  • Its own authentication and single sign-on system
  • An Attribute Authority linked to user attribute information ( also part of the reference software)
  • The federation provides a Where Are You From (WAYF) service.
  • The resource is known as a Service Provider and interacts with the WAYF, Handle Server and Attribute Authority.
  • The user is assumed to access the resource from outside his/her home organisation and needs to be directed to his home organisation for authentication and the provision of authorisation information.

The Shibboleth authentication and authorisation process

  1. First of all, the user accesses a protected resource.
  2. The resource redirects the user to the WAYF, so that he/she can select his home organisation. Depending on the policy of the federation, the user may be able to record this preference, perhaps in a cookie, for future use.
  3. The user is then directed to his home organisation, which sends him to the authentication system for his organisation.
  4. The user authenticates himself, by whatever means his organisation deems appropriate for this federation.
  5. After successful authentication, a one-time handle or session identifier is generated for this user session, and the user is returned to the resource
  6. The resource uses the handle to request attribute information from the Identity Provider for this user.
  7. The organisation allows or denies the attribute information to be made available to this resource using the Attribute Release policy.
  8. Based on the attribute information made available, the resource then allows or denies the user access to the resource.
    /upload/aim/images/howshibworks.gif
 
Events | Contact us | News
© Copyright Eduserv - All rights reserved