fbpx
Wikipedia

Shibboleth (software)

January 01, 1970

Shibboleth is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.

Shibboleth
TypeSingle sign-on system
Websitewww.shibboleth.net

The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity-based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML). Federated identity allows the sharing of information about users from one security domain to the other organizations in a federation. This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords. Identity providers (IdPs) supply user information, while service providers (SPs) consume this information and give access to secure content.

History edit

The Shibboleth project grew out of Internet2. Today, the project is managed by the Shibboleth Consortium. Two of the most popular software components managed by the Shibboleth Consortium are the Shibboleth Identity Provider and the Shibboleth Service Provider, both of which are implementations of SAML.

The project was named after an identifying passphrase used in the Bible (Judges 12:4–6) because Ephraimites were not able to pronounce "sh".

The Shibboleth project was started in 2000 to facilitate the sharing of resources between organizations with incompatible authentication and authorization infrastructures. Architectural work was performed for over a year prior to any software development. After development and testing, Shibboleth IdP 1.0 was released in July 2003.[1] This was followed by the release of Shibboleth IdP 1.3 in August 2005.

Version 2.0 of the Shibboleth software was a major upgrade released in March 2008.[2] It included both IdP and SP components, but, more importantly, Shibboleth 2.0 supported SAML 2.0.

The Shibboleth and SAML protocols were developed during the same timeframe. From the beginning, Shibboleth was based on SAML, but, where SAML was found lacking, Shibboleth improvised, and the Shibboleth developers implemented features that compensated for missing features in SAML 1.1. Some of these features were later incorporated into SAML 2.0, and, in that sense, Shibboleth contributed to the evolution of the SAML protocol.

Perhaps the most important contributed feature was the legacy Shibboleth AuthnRequest protocol. Since the SAML 1.1 protocol was inherently an IdP-first protocol, Shibboleth invented a simple HTTP-based authentication request protocol that turned SAML 1.1 into an SP-first protocol. This protocol was first implemented in Shibboleth IdP 1.0 and later refined in Shibboleth IdP 1.3.

Building on that early work, the Liberty Alliance introduced a fully expanded AuthnRequest protocol into the Liberty Identity Federation Framework. Eventually, Liberty ID-FF 1.2 was contributed to OASIS, which formed the basis for the OASIS SAML 2.0 Standard.[importance?]

Architecture edit

Shibboleth is a web-based technology that implements the HTTP/POST artifact and attribute push profiles of SAML, including both Identity Provider (IdP) and Service Provider (SP) components. Shibboleth 1.3 has its own technical overview,[3] architectural document,[4] and conformance document[5] that build on top of the SAML 1.1 specifications.

Shibboleth 1.3 edit

In the canonical use case:

  1. A user first accesses a resource hosted by a web server (the service provider) that has Shibboleth content protection enabled.
  2. The SP crafts a proprietary authentication request that is passed through the browser using URL query parameters to supply the requester's SAML entityID, the assertion consumption location, and optionally the end page to return the user to.
  3. The user is redirected to either their home IdP or a WAYF (Where Are You From) service, where they select their home IdP for further redirection.
  4. The user authenticates to an access control mechanism external to Shibboleth.
  5. Shibboleth generates a SAML 1.1 authentication assertion with a temporary "handle" contained within it. This handle allows the IdP to recognize a request about a particular browser user as corresponding to the principal that authenticated earlier.
  6. The user is POSTed to the assertion consumer service of the SP. The SP consumes the assertion and issues an AttributeQuery to the IdP's attribute service for attributes about that user, which may or may not include the user's identity.
  7. The IdP sends an attribute assertion containing trusted information about the user to the SP.
  8. The SP either makes an access control decision based on the attributes or supplies information to applications to make decisions themselves.

Shibboleth supports a number of variations on this base case, including portal-style flows whereby the IdP mints an unsolicited assertion to be delivered in the initial access to the SP, and lazy session initiation, which allows an application to trigger content protection through a method of its choice as required.

Shibboleth 1.3 and earlier do not provide a built-in authentication mechanism, but any Web-based authentication mechanism can be used to supply user data for Shibboleth to use. Common systems for this purpose include CAS or Pubcookie. The authentication and single-sign-on features of the Java container in which the IdP runs (Tomcat, for example) can also be used.

Shibboleth 2.0 edit

Shibboleth 2.0 builds on SAML 2.0 standards. The IdP in Shibboleth 2.0 has to do additional processing in order to support passive and forced authentication requests in SAML 2.0. The SP can request a specific method of authentication from the IdP. Shibboleth 2.0 supports additional encryption capacity.

Attributes edit

Shibboleth's access control is performed by matching attributes supplied by IdPs against rules defined by SPs. An attribute is any piece of information about a user, such as "member of this community", "Alice Smith", or "licensed under contract A". User identity is considered an attribute, and is only passed when explicitly required, which preserves user privacy. Attributes can be written in Java or pulled from directories and databases. Standard X.520 attributes are most commonly used, but new attributes can be arbitrarily defined as long as they are understood and interpreted similarly by the IdP and SP in a transaction.

Trust edit

Trust between domains is implemented using public key cryptography (often simply TLS server certificates) and metadata that describes providers. The use of information passed is controlled through agreements. Federations are often used to simplify these relationships by aggregating large numbers of providers that agree to use common rules and contracts.

Development edit

Shibboleth is open-source and provided under the Apache 2 license. Many extensions have been contributed by other groups.[citation needed]

Adoption edit

Federations have been formed in many countries around the world to build trust structures for the exchange of information using SAML and Shibboleth software. Many major content providers support Shibboleth-based access.

In February 2006, the Joint Information Systems Committee (JISC) of the Higher Education Funding Councils of England, Scotland, Wales and Northern Ireland announced that it would move from the Athens authentication system to an access-management system based on Shibboleth technology.[6] Since then it has updated its position and is endorsing a federated access management solution rather than Shibboleth itself.[citation needed]

See also edit

References edit

  1. ^ Pollack, Michelle (2003-07-01). "I2-News: Internet2 Releases Privacy-Preserving Web Authorizing Software" (Mailing list). Archived from the original on 2012-12-13. Retrieved 2007-11-28.
  2. ^ "Shibboleth 2.0 Available".
  3. ^ Scavo, Tom; Cantor, Scott (2005-06-08). (PDF). Archived from the original on 2012-03-14. Retrieved 2017-10-02.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  4. ^ "Shibboleth Architecture: Protocols and Profiles" (PDF). 2005-09-10. Retrieved 2017-08-24.
  5. ^ Cantor, Scott; Morgan, RL "Bob"; Scavo, Tom (2005-09-10). "Shibboleth Architecture: Conformance Requirements" (PDF). Retrieved 2017-08-24.
  6. ^ "JISC announces the development of a new access-management system for the UK". Joint Information Systems Committee. Retrieved 2006-07-19.

External links edit

  • Official website
  • Official Shibboleth 1.x Wiki
  • Official Shibboleth 2.x Wiki
  • Official Shibboleth IdP 3.x Wiki
  • Official Shibboleth IdP 4.x Wiki

January 01, 1970
shibboleth, software, parts, this, article, those, related, version, need, updated, please, help, update, this, article, reflect, recent, events, newly, available, information, april, 2019, shibboleth, single, sign, system, computer, networks, internet, allows. Parts of this article those related to version 3 0 need to be updated Please help update this article to reflect recent events or newly available information April 2019 Shibboleth is a single sign on log in system for computer networks and the Internet It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions The federations are often universities or public service organizations ShibbolethTypeSingle sign on systemWebsitewww wbr shibboleth wbr net The Shibboleth Internet2 middleware initiative created an architecture and open source implementation for identity management and federated identity based authentication and authorization or access control infrastructure based on Security Assertion Markup Language SAML Federated identity allows the sharing of information about users from one security domain to the other organizations in a federation This allows for cross domain single sign on and removes the need for content providers to maintain usernames and passwords Identity providers IdPs supply user information while service providers SPs consume this information and give access to secure content Contents 1 History 2 Architecture 2 1 Shibboleth 1 3 2 2 Shibboleth 2 0 3 Attributes 4 Trust 5 Development 6 Adoption 7 See also 8 References 9 External linksHistory editThe Shibboleth project grew out of Internet2 Today the project is managed by the Shibboleth Consortium Two of the most popular software components managed by the Shibboleth Consortium are the Shibboleth Identity Provider and the Shibboleth Service Provider both of which are implementations of SAML The project was named after an identifying passphrase used in the Bible Judges 12 4 6 because Ephraimites were not able to pronounce sh The Shibboleth project was started in 2000 to facilitate the sharing of resources between organizations with incompatible authentication and authorization infrastructures Architectural work was performed for over a year prior to any software development After development and testing Shibboleth IdP 1 0 was released in July 2003 1 This was followed by the release of Shibboleth IdP 1 3 in August 2005 Version 2 0 of the Shibboleth software was a major upgrade released in March 2008 2 It included both IdP and SP components but more importantly Shibboleth 2 0 supported SAML 2 0 The Shibboleth and SAML protocols were developed during the same timeframe From the beginning Shibboleth was based on SAML but where SAML was found lacking Shibboleth improvised and the Shibboleth developers implemented features that compensated for missing features in SAML 1 1 Some of these features were later incorporated into SAML 2 0 and in that sense Shibboleth contributed to the evolution of the SAML protocol Perhaps the most important contributed feature was the legacy Shibboleth AuthnRequest protocol Since the SAML 1 1 protocol was inherently an IdP first protocol Shibboleth invented a simple HTTP based authentication request protocol that turned SAML 1 1 into an SP first protocol This protocol was first implemented in Shibboleth IdP 1 0 and later refined in Shibboleth IdP 1 3 Building on that early work the Liberty Alliance introduced a fully expanded AuthnRequest protocol into the Liberty Identity Federation Framework Eventually Liberty ID FF 1 2 was contributed to OASIS which formed the basis for the OASIS SAML 2 0 Standard importance Architecture editShibboleth is a web based technology that implements the HTTP POST artifact and attribute push profiles of SAML including both Identity Provider IdP and Service Provider SP components Shibboleth 1 3 has its own technical overview 3 architectural document 4 and conformance document 5 that build on top of the SAML 1 1 specifications Shibboleth 1 3 edit In the canonical use case A user first accesses a resource hosted by a web server the service provider that has Shibboleth content protection enabled The SP crafts a proprietary authentication request that is passed through the browser using URL query parameters to supply the requester s SAML entityID the assertion consumption location and optionally the end page to return the user to The user is redirected to either their home IdP or a WAYF Where Are You From service where they select their home IdP for further redirection The user authenticates to an access control mechanism external to Shibboleth Shibboleth generates a SAML 1 1 authentication assertion with a temporary handle contained within it This handle allows the IdP to recognize a request about a particular browser user as corresponding to the principal that authenticated earlier The user is POSTed to the assertion consumer service of the SP The SP consumes the assertion and issues an AttributeQuery to the IdP s attribute service for attributes about that user which may or may not include the user s identity The IdP sends an attribute assertion containing trusted information about the user to the SP The SP either makes an access control decision based on the attributes or supplies information to applications to make decisions themselves Shibboleth supports a number of variations on this base case including portal style flows whereby the IdP mints an unsolicited assertion to be delivered in the initial access to the SP and lazy session initiation which allows an application to trigger content protection through a method of its choice as required Shibboleth 1 3 and earlier do not provide a built in authentication mechanism but any Web based authentication mechanism can be used to supply user data for Shibboleth to use Common systems for this purpose include CAS or Pubcookie The authentication and single sign on features of the Java container in which the IdP runs Tomcat for example can also be used Shibboleth 2 0 edit Shibboleth 2 0 builds on SAML 2 0 standards The IdP in Shibboleth 2 0 has to do additional processing in order to support passive and forced authentication requests in SAML 2 0 The SP can request a specific method of authentication from the IdP Shibboleth 2 0 supports additional encryption capacity Attributes editShibboleth s access control is performed by matching attributes supplied by IdPs against rules defined by SPs An attribute is any piece of information about a user such as member of this community Alice Smith or licensed under contract A User identity is considered an attribute and is only passed when explicitly required which preserves user privacy Attributes can be written in Java or pulled from directories and databases Standard X 520 attributes are most commonly used but new attributes can be arbitrarily defined as long as they are understood and interpreted similarly by the IdP and SP in a transaction Trust editTrust between domains is implemented using public key cryptography often simply TLS server certificates and metadata that describes providers The use of information passed is controlled through agreements Federations are often used to simplify these relationships by aggregating large numbers of providers that agree to use common rules and contracts Development editShibboleth is open source and provided under the Apache 2 license Many extensions have been contributed by other groups citation needed Adoption editFederations have been formed in many countries around the world to build trust structures for the exchange of information using SAML and Shibboleth software Many major content providers support Shibboleth based access In February 2006 the Joint Information Systems Committee JISC of the Higher Education Funding Councils of England Scotland Wales and Northern Ireland announced that it would move from the Athens authentication system to an access management system based on Shibboleth technology 6 Since then it has updated its position and is endorsing a federated access management solution rather than Shibboleth itself citation needed See also editOpenAthensReferences edit Pollack Michelle 2003 07 01 I2 News Internet2 Releases Privacy Preserving Web Authorizing Software Mailing list Archived from the original on 2012 12 13 Retrieved 2007 11 28 Shibboleth 2 0 Available Scavo Tom Cantor Scott 2005 06 08 Shibboleth Architecture Technical Overview Document ID draft mace shibboleth tech overview 02 PDF Archived from the original on 2012 03 14 Retrieved 2017 10 02 a href Template Cite web html title Template Cite web cite web a CS1 maint bot original URL status unknown link Shibboleth Architecture Protocols and Profiles PDF 2005 09 10 Retrieved 2017 08 24 Cantor Scott Morgan RL Bob Scavo Tom 2005 09 10 Shibboleth Architecture Conformance Requirements PDF Retrieved 2017 08 24 JISC announces the development of a new access management system for the UK Joint Information Systems Committee Retrieved 2006 07 19 External links editOfficial website Official Shibboleth 1 x Wiki Official Shibboleth 2 x Wiki Official Shibboleth IdP 3 x Wiki Official Shibboleth IdP 4 x Wiki Retrieved from https en wikipedia org w index php title Shibboleth software amp oldid 1209658661, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.