skip to main content

Authentication & Authorization Services

Shibboleth

Authentication and Authorization using Shibboleth

There are two major components to the Shibboleth system:

  1. Identity Provider - the software run by a university or other organization with Subjects wishing to access a restricted service
  2. Service Provider - the software run by the provider managing the restricted service

When a Subject attempts to access an on-line service, the Service Provider redirects the Subject to the campus Identity Provider managing the Subject's Credentials. The Subject then authenticates with his or her campus Credential. After a successful authentication, the campus Identity Provider passes back to the Service Provider a minimal set of identity information about the Subject. The Service Provider uses the identity information to determine whether or not the Subject is authorized to access the resource.

Shibboleth leverages the organization's existing identity and access management system, so that the Subject's relationship with the institution determines access rights to services that are hosted both on- and off-campus.

At Texas A&M, Shibboleth is used with CAS as a Single SignOn service. When Shibboleth must perform an authentication, CAS is called. If the customer has an existing CAS session active, they will not be prompted for their NetID credential. The strengths of the CAS service for NetID and password management continue to be used for all Shibboleth-enabled services.

For more information on how Shibboleth works, the SWITCH Federation site offers a series of technical explanations from easy to expert.

Origins and Philosophy

Universities, companies and government agencies are increasingly conducting business and collaborating via online resources. It is common for users to access online resources both inside and outside their organizations to do their work. In the past, each of these services required its own ID and password. For the user, that meant another login ID and password to remember. For the institution, managing these edge-population accounts was labor- and time-intensive.

Shibboleth was developed specifically to address the challenges of:

  • multiple passwords required for multiple applications
  • scaling the account management of multiple applications
  • security issues associated with accessing third-party services
  • privacy
  • interoperability within and across organizational boundaries
  • enabling institutions to choose their authentication technology
  • enabling service providers to control access to their resources

Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows online resources to make informed authorization decisions for individual access in a privacy-preserving manner.

For more information on Shibboleth, please visit the official Shibboleth site.

Shibboleth @ Texas A&M