wiki:ShibbolethService

Version 1 (modified by joshuadf, 11 years ago) (diff)

--

Summary

Shibboleth is an implementation of web-based single sign-on (see "How it works" below).

It is only for web applications, and requires configuration by both institutions (such as UW and FHCRC) and resource providers (such as ITHS). However, it uses existing web standards so this configuration should not require extensive customization of application code. All major platforms (Windows, Linux, Java, etc) are supported.

The big advantage is that users provide their existing username and password to their own institution, which eliminates the need for maintenance of additional usernames and eases some privacy worries.

How it works

  • Website shows the user a wayfinder (WAYF) page that allows them to select an institution, such as "University of Washington"
  • After the user provides a username and password, the institution redirects the user back to the website. In the background, the user now has credentials (username and possibly status such as "faculty")
  • The website sees the embedded username (REMOTE_USER) and displays "Welcome joshuadf@…" without requiring any additional password.

Issues

  • Some institutions do not want to provide actual usernames for privacy reasons, so instead provide a token such as "adfead1a2d90a966ef0a69071a2df31b@…"
  • Some applications such as Microsoft's Sharepoint run in a limited mode for non-local users
  • Smaller institutions or private practices do not have the resources to set up a Shibboleth Identity Provider. As a workaround these users will need to use a free public provider such as ProtectNetwork? or be granted UW credentials
  • UW does not currently have extensive guides for Shibboleth like it does for pubcookie, but probably will in the future

Shibboleth from an application's point of view <http://shib.kuleuven.be/switch2shibboleth.shtml>

Shibboleth home page <http://shibboleth.internet2.edu/>

<http://en.wikipedia.org/wiki/Shibboleth_(Internet2)>

Technical:

My Demo

This uses the public testshib.org testing service

*DO NOT ENTER YOUR OWN PASSWORD* <https://shibsp.biostr.washington.edu/secure/> *DO NOT ENTER YOUR OWN PASSWORD*