Authentication and Authorization using Shibboleth
There are two major components to the Shibboleth system:
- Identity Provider - the software run by a university or other organization with Subjects wishing to access a restricted service
- Service Provider - the software run by the provider managing the restricted service
When a Subject attempts to access an on-line service, the Service Provider redirects the Subject to the campus Identity Provider managing the Subject's Credentials. The Subject then authenticates with his or her campus Credential. After a successful authentication, the campus Identity Provider passes back to the Service Provider a minimal set of identity information about the Subject. The Service Provider uses the identity information to determine whether or not the Subject is authorized to access the resource.
Shibboleth leverages the organization's existing identity and access management system, so that the Subject's relationship with the institution determines access rights to services that are hosted both on- and off-campus.
At Texas A&M, Shibboleth is used with CAS as a Single SignOn service. When Shibboleth must perform an authentication, CAS is called. If the customer has an existing CAS session active, they will not be prompted for their NetID credential. The strengths of the CAS service for NetID and password management continue to be used for all Shibboleth-enabled services.
For more information on how Shibboleth works, the SWITCH Federation site offers a series of technical explanations from easy to expert.
Origins and Philosophy
Universities, companies and government agencies are increasingly conducting business and collaborating via online resources. It is common for users to access online resources both inside and outside their organizations to do their work. In the past, each of these services required its own ID and password. For the user, that meant another login ID and password to remember. For the institution, managing these edge-population accounts was labor- and time-intensive.
Shibboleth was developed specifically to address the challenges of:
- multiple passwords required for multiple applications
- scaling the account management of multiple applications
- security issues associated with accessing third-party services
- interoperability within and across organizational boundaries
- enabling institutions to choose their authentication technology
- enabling service providers to control access to their resources
Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows online resources to make informed authorization decisions for individual access in a privacy-preserving manner.
For more information on Shibboleth, please visit the official Shibboleth site.
Install the latest 3.x version of the Shibboleth Service Provider.
- The Shibboleth software can be obtained from the project website.
- Installation instructions for Shibboleth are provided in the project wiki.
Once you have the Shibboleth service provider and supporting packages installed, you can proceed with the configuration of Shibboleth and the webserver.
Configuring a Shibboleth Service Provider
Please see the TAMUFederation Server Provider configuration page for information about configuring your service provider.
Testing your new Shibboleth Service Provider
Test your Service Provider using SAMLtest.
Register your Service Provider in a Federation
Campus- and system-wide server providers will need to register with the TAMUFederation.
Other federations you may register your server provider are listed on the Texas A&M Federations page.
Local vs. Federation-level Applications
Applications only intended for the Texas A&M campus community should connect to the Texas A&M Identity Provider.
Applications open to personnel affiliated with other institutions should connect to the appropriate federation WAYF server.
If you're deploying Shibboleth in production, please subscribe any technical contacts to the firstname.lastname@example.org mailing list to receive notices about Texas A&M-specific system issues, outages, etc. You should also subscribe to the general Shibboleth announcement list (see the Shibboleth Project website).