Skip redundant pieces
Information Technology
A Division of Information Services

Identity Management Services

Shibboleth Inter-realm Authentication Service
Identity Management Services provides a Shibboleth Identity Provider, and service providers can be set up on web servers as needed. Our identity provider authenticates using our Argus Authentication Service.

We currently have a demonstration Shibboleth Service Provider available at https://argust.cc.ku.edu/cgi-bin/secure/test-cgi.pl, which you can log into by selecting "The University of Kansas" on the "Select an Identity Provider" screen. This will direct you to an Argus-protected Shibboleth Identity Provider, and you can log in using your KU Online ID and password.

One of the nice features of Shibboleth is that unlike Argus, it can protect static web pages. Any page that can be protected using Apache's .htaccess or <Location> mechanisms can be protected using Shibboleth. There is also a client for Windows IIS platforms.

One of the not so nice features of Shibboleth is that it has no logout functionality. You must close all of your browser windows to destroy the cookies that maintain login state.

Shibboleth Protocol Walkthrough

Here is a short Powerpoint slide show illustrating the steps involved in authenticating via Shibboleth.

Slide Show

Shibboleth High Points

The Shibboleth project, from Internet2/MACE, provides an open source product to support inter-institutional sharing of web resources subject to access controls. In addition, Shibboleth is developing a policy framework that will allow inter-operation within the higher education community. Key concepts within Shibboleth include:

  • Federated Administration. The Identity Provider site (home to the browser user) provides assertions about that user to the Service Provider site. A trust fabric exists between sites, allowing each site to identify the other speaker, and assign a trust level.
  • Access Control Based On Attributes. Access control decisions are made using those assertions. The assertions might include Identity, but many situations will not require this.
  • Active Management of Privacy. The Identity Provider site, and the browser user, control what information is released to the Service Provider. A typical default is merely "member of community". Users are no longer at the mercy of the target site's privacy policy.
  • Standards Based. Shibboleth uses OpenSAML, which is based on the Security Assertion Markup Language (SAML) developed by the OASIS Security Services Technical Committee.
  • A Framework for Multiple, Scaleable Trust and Policy Sets (Federations). Shibboleth uses Federations to specify a set of parties who have agreed to a common set of policies. (A site can be in multiple Federations, though.) This moves the trust framework beyond bi-lateral agreements, while providing flexibility when different situations require different policy sets.
  • A Standard (yet extensible) AttributueValue Vocabulary. Shibboleth has defined a standard set of attributes; the primary set is based on the eduPerson object class that includes widely-used person attributes in higher education.