What is Shibboleth?
Over the past few years, JISC has invested significant resources in the development of the next generation of access management system, based ont he Shibboleth technology. This page will explain what Shibboleth is.
What is Shibboleth?
Shibboleth is an architecture that enables organisations to build single sign-on environments that allow users to access web-based resources using a single login. Shibboleth uses open standards (such as SAML) and was developed by the Internet2 middleware group. The latest version of the Shibboleth software is 2.0.
JISC has recently announced its decision to move from Athens to a new generation access management service, based on the Shibboleth technology. More on JISC plans to adopt federated access management and Shibboleth.
Some of the benefits of using Shibboleth
Users will have a single sign-on using an institutional ID and password for a wide range of resources, as well as the assurance that their personal data will not be disclosed to third parties.
Librarians will be free of the burden of user name and password administration, and will have new tools for managing licenses and service subscriptions.
IT managers will have more control of the access management process through enhancements to enterprise directories, although this will require additional institutional effort in the short term.
Institutions will have a single service to meet the requirements of e-learning, e-research and library-managed resources. Simplification of the authentication process has also proven to lead to increased use of subscribed services.
How does Shibboleth work?
The Shibboleth architecture defines a way of exchanging information between an organisation and a provider of digital resources (such as data, video, documents, and so on). By using Shibboleth, the information is exchanged in a secure manner, protecting both the security of the data and the privacy of the individual.
In the Shibboleth model, the organisation is responsible for authenticating the user - that is, for checking that the credentials the user presents are correct (typically with a username/password combination). The organisation is also responsible for providing information about the user; for example, whether the user is a student, lecturer, or member of the department zoology. This information is called attribute information. The organisation is called the Identity Provider.
The decision to authorise access to information is the responsibility of the owner of the resource, and is based on the user's attribute information. Attribute information can be as simple as 'member of zoology department' or as complex as 'member of project team who has signed up to the project terms and conditions'. The provider of the information is called the Service Provider.
To find out more about theShibboleth architecture.
What is a federation?
Organisations that use Shibboleth to access resources must join or create a federation. A federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of resources and services. The federation combined with identity management software within institutions and organisations can be referred to as federated access management.
How authentication is carried out by the institution and how rights management is carried out by the service provider is left up to the respective parties. In doing so, Shibboleth depends on a certain level of trust. These trust agreements are managed by Federations. Federations are typically being established at a national level.
The UK federation is called the UK Access Management for Education & Research. It is run by JANET, building on the experiences of a successful pilot federation at EDINA (a JISC data centre), on behalf of JISC and Becta.
If you need more information about Shibboleth, see the Internet2 Shibboleth website