What is Shibboleth?
Shibboleth is a software for identity management in federations, which makes it possible to realize a Single Sign On across organizational boundaries. A federation in this context is a group of organizations which incorporate to share user data and protected resources under common guidelines. Shibboleth provides a uniform authentication mechanism for applications offered by the members of the federation, which could be realized with different technologies, architectures and security mechanisms. It allows users to sign on to these applications with the same username/password and and also makes it possible to realize a Single Sign On for them. Shibboleths primary target domain is higher education, but it can be used in other areas, too. Example for a federation:
Shibboleth implements the SAML 1.1 standard. It distinguishes between Identity Provider, which manage the user data, and Service Provider, which manage protected resources. If a user wants to access a protected resource and hasn't authenticated so far, the service provider first sends the user to the identity provider for authentication. The identity provider authenticates user against a data store and send a notice about this to the Service Provider. The data store which contains the user data is usually a LDAP server but it could also be a RDBMS, NIS, etc. A typical communication between User, Identity Provider and Service Provider looks as follows: ...
Shibboleth provides granular mechanism to ensure privacy. The data the identity provider sends to the service provider about the user can contain variable information about the user like userid, name, affiliation but it can also only contain the info "is a valid user" without even the userid of the current user. This can be configured by the identity provider individually for each service provider.
Shibboleth is developed by the non-profit Internet2 consortium and is released under the Apache Software License.
Identity Provider
