Shibboleth (Internet)

Logo of the project

Shibboleth is a method developed by Internet2 / MACE for distributed authentication and authorization for web applications and web services . The Shibboleth concept provides that the user only has to authenticate himself once at his home facility in order to be able to access services or licensed content from various providers regardless of location ( single sign-on ). Shibboleth is based on an extension of the SAML standard .

etymology

The project name comes from the Hebrew word Shibboleth (Heb. שבולת) and literally means “ flow ”, “stream” or “flood”, but is used in the meaning of “ password ” or “code word”.

Components

The software consists of three parts:

1. Identity provider : located at the home institution
2. Service provider : located with the provider
3. Localization Service or Discovery Service (formerly WAYF Where are you from? ): Can optionally be used to localize the user's home facility.

The components can be installed independently of one another. In order for Shibboleth to work, at least one identity provider and one service provider are required. Release 2 of the Shibboleth Identity Provider was published on March 17th, 2008; Version 3 has been available since February 25th, 2015.

functionality

The easiest way to explain how Shibboleth works is by using the following scenario:

Authentication (who are you?)

A user wants to access a protected resource . The provider accepts the request and checks whether the user is already authenticated. If not, it will be forwarded to a localization service. The localization service offers a selection of facilities. The user selects his home device and is forwarded to it. The home facility checks to see if the user is already authenticated. If this is not the case, the user is requested to do so (for example with a user ID and password or a chip card). The home facility issues a "digital badge" and redirects the user back to the provider. The provider checks the content of the digital ID.

Authorization (what are you allowed to do?)

If the provider needs further information in order to decide whether the user is allowed to access the desired resource (for example the faculty affiliation at a university ), he asks the user's home institution. The provider checks its own system to determine whether the user is allowed to access the resource, and allows or denies access.

commitment

Shibboleth is mainly used in science and teaching and can be used bilaterally (one provider, one institution), in a larger environment such as in Baden-Württemberg (bwIDM), in Saxony (SaxID) and in North Rhine-Westphalia (idm.nrw) or be used across the board for an entire country. Beyond a certain size, a so-called Federation accepts (Engl. Federation ) the organization and technical support. One such federation in Germany is the DFN-AAI, which was founded by the German Research Network ( DFN ) in cooperation with the Albert-Ludwigs-Universität Freiburg . Other federations include SWITCHaai (Switzerland), ACOnet Identity Federation (Austria), DK-AAI (Denmark), HAKA (Finland), CRU (France) and UKFederation (Great Britain). Under the brand name eduGAIN , GÉANT also operates an amalgamation of national federations to form a so-called interfederation.