Shibboleth

Shibboleth provides a set of network services that support a federated authorization and authentication model. Designed with universities, corporations, and government agencies in mind, Shibboleth allows organizations to participate in the authentication and authorization of their individual members (e.g., faculty, students, emplyees) when those members use services provided by external agencies (e.g., commercial or government services).

Shibboleth makes use of local authentication systems at "home institutions" (the organization where an individual user works or goes to school) in cooperation with local Shibboleth services to inform remote services of the validity of requests by local users to use the services.

Shibboleth services on remote web servers intercept user requests and (if the user is not recognized as a known user) work with the user to determine their home institution. They then interact with the home institution's Shibboleth services to obtain a "handle" for the user that contains any identification information that the home institution chooses to make available as well as "attributes" that describe the role(s) that the user has in the institution. This information is used by the remote service to determine whether to give the user access to the service or not.

Originally geared for Web browser-based services, Shibboleth is currently being extended to support services that use other interfaces, such as Web services and WSRF interfaces.

Key benefits:

• Relieves remote service providers from having to manage user lists for every institution that uses their services
• Allows "home institutions" to protect the identities of their users from remote service providers
• Leverages existing authentication systems at home institutions
• Flexible, distributed architecture supports a variety of usage scenarios