skip to main content

Authentication & Authorization Services

Shibboleth

Authentication and Authorization using Shibboleth

There are two major components to the Shibboleth system:

  1. Identity Provider - the software run by a university or other organization with Subjects wishing to access a restricted service
  2. Service Provider - the software run by the provider managing the restricted service

When a Subject attempts to access an on-line service, the Service Provider redirects the Subject to the campus Identity Provider managing the Subject's Credentials. The Subject then authenticates with his or her campus Credential. After a successful authentication, the campus Identity Provider passes back to the Service Provider a minimal set of identity information about the Subject. The Service Provider uses the identity information to determine whether or not the Subject is authorized to access the resource.

Shibboleth leverages the organization's existing identity and access management system, so that the Subject's relationship with the institution determines access rights to services that are hosted both on- and off-campus.

At Texas A&M, Shibboleth is used with CAS as a Single SignOn service. When Shibboleth must perform an authentication, CAS is called. If the customer has an existing CAS session active, they will not be prompted for their NetID credential. The strengths of the CAS service for NetID and password management continue to be used for all Shibboleth-enabled services.

For more information on how Shibboleth works, the SWITCH Federation site offers a series of technical explanations from easy to expert.

Origins and Philosophy

Universities, companies and government agencies are increasingly conducting business and collaborating via online resources. It is common for users to access online resources both inside and outside their organizations to do their work. In the past, each of these services required its own ID and password. For the user, that meant another login ID and password to remember. For the institution, managing these edge-population accounts was labor- and time-intensive.

Shibboleth was developed specifically to address the challenges of:

  • multiple passwords required for multiple applications
  • scaling the account management of multiple applications
  • security issues associated with accessing third-party services
  • privacy
  • interoperability within and across organizational boundaries
  • enabling institutions to choose their authentication technology
  • enabling service providers to control access to their resources

Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows online resources to make informed authorization decisions for individual access in a privacy-preserving manner.

For more information on Shibboleth, please visit the official Shibboleth site.

Installation

Install the latest 2.x version of the Shibboleth Service Provider.

  • The Shibboleth software can be obtained from the project website.
  • Installation instructions for Shibboleth are provided in the project wiki.

Once you have the Shibboleth service provider and supporting packages installed, you can proceed with the configuration of Shibboleth and the webserver.

Configuring a Shibboleth Service Provider

Please see the TAMUFederation Server Provider configuration page for information about configuring your service provider.

Testing your new Shibboleth Service Provider

Test your Service Provider using TestShib.

Register your Service Provider in a Federation

Campus- and system-wide server providers will need to register with the TAMUFederation.

Other federations you may register your server provider are listed on the Texas A&M Federations page.

Local vs. Federation-level Applications

Applications only intended for the Texas A&M campus community should connect to the Texas A&M Identity Provider.

Applications open to personnel affiliated with other institutions should connect to the appropriate federation WAYF server.

Community

If you're deploying Shibboleth in production, please subscribe any technical contacts to the shib-customers@listserv.tamu.edu mailing list to receive notices about Texas A&M-specific system issues, outages, etc. You should also subscribe to the general Shibboleth announcement list (see the Shibboleth Project website).