Shibboleth: identity federation in open source mode (by Thierry Albain, SQLI)


In its version 2, the solution reaches a level of maturity that could allow it to become a reference in the Open Souce universe. It is based on the SAML 2.0 standard

Originally, the Hebrew word Shibboleth was used by a people to distinguish their enemies who were unable to pronounce it correctly. Thanks to this word, trust could be established within a well-defined population.

Today, Shibboleth designates an Open Source software, from the Internet 2 consortium, which establishes in the same way a trust relationship between well-defined and identified entities. It ensures a filtered and secured access to the resources of these entities limited only to the members of these same entities.

Shibboleth, in its version 2, is thus the reference Open Source identity federation software that supports the SAML 2.0 standard.

SAML 2.0

SAML 2.0 (l) was established as an identity federation standard by OASIS, thanks to the work of the Liberty Alliance and the Internet 2 consortium that develops and maintains the Shibboleth software.

Shibboleth implements the three essential SAML 2 building blocks that are the SP (Service Provider), the IdP (Identity Provider) and the DS (Discovery Service).

The particularity of the Shibboleth SP is that it is composed of a standalone service and a module associated with a Web server. In the case of a LAMP platform, the SP is composed of a Linux daemon and an Apache module. In the case of a WIMP platform, the SP is composed of a Windows service and an ISAPII filter. The IdP and DS are Java web applications that can run under Tomcat for example.

The profiles

SAML profiles are well-defined use cases in terms of protocol, transport and assertion. They describe the main use cases of the Federation. Not all SAML profiles are implemented in the current version of Shibboleth, only the main ones.

The most used protocol in the federation world is the “Web Browser SSO” profile. It is naturally implemented in Shibboleth. It allows, through the Internet browser, the transfer of SAML assertions between the IdP and the SP.

The other implemented protocols allow:
Attribute retrieval. In an architecture where identity and authentication repositories are centralized, it is essential to be able to provide the resources that request it with the identity and also the authorizations of the connected user. The advantage is to no longer implement the application accounts in the application but only the permissions in relation to the transmitted roles.
The identity provider discovery service,
The resolution of artifacts,
The exchange of metadata.

Conclusion

Shibboleth is a perfectly satisfactory solution in terms of SAML 2.0 compliance.

Even if the software is easy to install, it remains difficult to access without a minimum of experience in the field. On the other hand, once installed and configured, it remains stable in use and thus allows, in production, the secure opening of its IS at low cost.


Leave a Comment