Shibboleth is a web-based software tool that supports single sign-on (SSO) between two applications or between two organizations. It is an open-source tool and mainly used for Single Sign-On (SSO) using SAML protocol. It can not implement SSO with protocols such as OAuth or OpenID connect.
It helps sites make informed authorization decisions for accessing protected resources and provides federated identity-based authentication and authorization that allows cross-domain Single Sign-On (SSO) and removes the need for access credentials.
Shibboleth web-based Single Sign-On (SSO) system contains three Components:
- Identity Provider (IDP) — An identity provider (IDP) creates, maintains, and manages user identities and information. Identity Providers are responsible for user authentication and providing required user information to the Service Provider (SP).
- Service Provider (SP) — Service provider (SP) receives authentications assertions from the Identity provider and authenticates the user.
- Discovery Service (DS) — It helps the Service Provider to discover the user’s Identity Provider. It may be located anywhere on the web and most of the time does not require it.
Shibboleth SSO Workflow
The below diagram shows the common workflow of single sign-on (SSO) and interaction between User, Identity Provider (IDP), and Service Provider (SP).
Shibboleth SSO flow with miniOrange IDP
The authentication process using Identity Provider (IDP), takes place in the following steps:
- The user reaches for a Service provider (website) for accessing the resources.
- Service Provider figures out the Identity provider (IDP) with the help of miniOrange discovery service and authenticates the user with the Identity Provider (IDP).
- Identity Provider checks if any active session is going on if it is not then it asks the user to enter the credentials and the authentication request is sent to IDP.
- Identity Provider (IDP) sends an authentication response to the Service Provider (SP).
- After authenticating the user with Identity Provider (IDP) Service Provider (SP) grants access to the user.
Authenticate IDP’s without any external software
With miniOrange SAML plugin, you can configure multiple IDPs registered with HAKA Federation. This allows the users to authenticate with these IDPs without any external software installation like Shibboleth SP, Gluu server. Get all your user details and choose to auto-provision users if necessary all from a single installation of a plugin.
Limitations of Shibboleth
- Support limited protocols such as SAML.
- Support and customization are not available because it is open-source, unlike other vendors who provide full support.
- It is more complex to set up and configure. The configuration is more involved.
- It only supports Supports SAML 1 and SAML 2 and features up to Shibboleth 2.4 protocols.
- The Shibboleth IdP V3 software has reached its End of Life and is no longer supported.
The web-based open-source tool supports single sign-on (SSO) between two applications or organizations using SAML protocol and cannot be implemented using other protocols such as OAuth or OpenID connect.
The common workflow of Shibboleth single sign-on (SSO) is the interaction between User, Identity Provider (IDP), and Service Provider (SP) where SP figure outs the IDP with the help of miniOrange discovery service