How does Shibboleth Work?

A user authenticates with his or her campus credentials. The campus identity provider passes the minimal identity information necessary to the service provider to enable an authorization decision.

There are two major components to the Shibboleth system:

1. Identity Provider - the software run by a university or other organization with users wishing to access a restricted service
2. Service Provider - the software run by the provider managing the restricted service

Shibboleth leverages the organization's existing identity and access management system, so that the individual's relationship with the institution determines access rights to services that are hosted both on- and off-campus.

At Texas A&M, Shibboleth is used with CAS as a Single SignOn service. When Shibboleth must perform an authentication, CAS is called. If the customer has an existing CAS session active, they will not be prompted for their NetID and password. The strengths of the CAS service for NetID and password management continue to be used for all Shibboleth-enabled services.

The SWITCH Federation site offers a series of technical explanations of how Shibboleth works, from easy to expert.