You are here: FIDIS Interactive > FIDIS Database on IMS > 

FIDIS Interactive

More about this database.

Database on Identity Management Systems

Back

“Shibboleth (Version: 2.0)”:

Manufacturer of the IMS

  • Internet2 Middleware Architecture Committee for Education, with contributions from IBM.
  • URL:
  • Nature of provider / distributor: Public, University, Reserach Institution
  • Nationality of the manufacturer: N/A

Type of the IMS / Class of the IMS

  • Type of the IMS: Type 1
  • Class of the IMS: N/A

Supported languages

  • England: English

References for the IMS

Is the IMS an open/closed IMS?

State of IMS deployment

Distribution of the IMS

Geographic scope

Is the IMS an open/closed IMS?: Open

State of IMS deployment: Available

Distribution of the IMS: N/A

Geographic scope: Global

Hard and software requirements of the IMS

Hardware: unrestricted; Software: Windows NT/2000/XP/2003, Linux, Solaris, and Mac OS X. Apache web server 1.3 or higher. Apache web server 2.0 or higher. Tomcat 4.1.18-24 LE Java server and above. Sun J2SE JDK v1.4.1_01 and above. Microsoft IIS 4.0 or higher.

Installed base of the IMS (Userbase)

A number of universities, scientific publishers and research institutions in the US, Switzerland, Findland, the Netherlands and the UK. The number of individual users is not published.

Interoperability and supported standards

Shibboleth uses the OASIS SAML 1.0 schema for communication about authentication and user attributes (a recent draft uses SAML 1.1). Shibboleth queries LDAP or SQL databases for user attributes. Shibboleth interacts with local single sign-on systems to authenticate users locally.


Version 2.0 supports SAML 2.0

Server-side component(s)

Shibboleth distinguishes identity providers (or Origins) and service providers (or Targets). The Orgin side consists of the following components: - Handle Service: creates handles for users for communication with Targets. The handles are ephemeral. - local Single-Sign On: The users have to login in at the SSO first. - Attribute Authority: processes requests from Targets about handles. Filters the requests using Attribute Release Policies (ARPs) - Directory Service: Stores users’ attributes The Target side consists of the following components: - resource manager: decides wether a resource needs authentication - Shibboleth Indexical Reference Establisher (SHIRE): requests handles for users. - Shibboleth Attribute Requester (SHAR): requests attributes for handles. Communication between the various components should be encrypted using TLS. Users can specify Attribute Release Policies, which can restrict access to attributes. The handles created by the Handle Service are anonymous and short-lived. If a user protects all atributes which would make her identifiable, the transactions remain pseudonymous.

Client-side component(s)

Only a web-browser is required.

Description of functionality / features (client and server)

Shibboleth allows the use of authorization mechanisms across administrative realms (this is called ‘federation’ in other descriptions). Its domain is restricted to World-Wide Web applications where is used as authentication middle-ware.

Important features are:

- The actual authentication is handled by a local sign-on system.

These systems may be different per participating organisation, but the heterogeny does not hinder the federation of trust.

- The exact authentication method is abstracted away in SAML. This again allows to use different authentication techinques appropriatly in different contexts.

- Service providers get ephemeral handles on the users. This is in contrast to other systems, which hand over globally unique, long-lived identifiers which can be used to build profiles of users’ online behaviour.

- A service provider may request many attributes for a handle. The set of possible attributes is not per se restricted as it is in other schemes.

- The users may specify privacy policies (called Attribute Release Policies).

Main functionality

Web Single-Sign On.

Purchase costs in EUR

0

Flow charts of the IMS

Click to enlarge

Screenshots of the IMS

Other file resources

N/A

Evaluator of the IMS

Martin Meints (ICPP)

General Comments (free text)

Back (This Record was last updated on: 17-04-2008 11:56)