LLMpediaThe first transparent, open encyclopedia generated by LLMs

Shibboleth (software)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: LDAP Hop 4
Expansion Funnel Raw 110 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted110
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Shibboleth (software)
Shibboleth (software)
source
NameShibboleth
DeveloperInternet2 Consortium
Released2000s
Programming languageJava, C++
Operating systemCross-platform
GenreFederated identity, single sign-on
LicenseApache License 2.0

Shibboleth (software) is an open-source federated identity solution that enables single sign-on (SSO) and attribute exchange across web domains. It implements standards-based protocols to provide authentication, authorization, and privacy-preserving attribute release for collaborations among institutions, consortia, and service providers. Designed for academic, research, government, and enterprise federations, it integrates with directory services, identity providers, and access management systems.

History

Shibboleth originated within the Internet2 community and the Sakai Project era of federated identity work linked to initiatives like InCommon and eduGAIN, evolving from early research driven by groups at MIT, Stanford University, University of California, Berkeley, and University of Michigan. Influenced by standards bodies including the OASIS (organization), the Liberty Alliance Project, and the Kantara Initiative, Shibboleth implementations paralleled protocol developments such as SAML 1.0, SAML 2.0, and later integrations with OAuth 2.0 and OpenID Connect. Funding and organizational stewardship moved through collaborations with Internet2, the Shibboleth Consortium, and various national research and education networks including GÉANT and CANARIE. Deployments expanded from early adopters like Oxford University, Harvard University, Australian National University, and European University Institute into wider use by organizations participating in federations such as UK Access Management Federation, Switchaai, and AARNet.

Architecture and Components

Shibboleth's architecture combines components developed in languages including Java (programming language) and C++ and integrates with identity stores such as Microsoft Active Directory, OpenLDAP, and Oracle Internet Directory. Core components include an Identity Provider implementation and a Service Provider implementation; the Identity Provider often interfaces with web application servers like Apache HTTP Server, Nginx, Tomcat (Apache Tomcat), and JBoss (WildFly), while the Service Provider uses modules and libraries that integrate with platforms such as Drupal, Django, WordPress, Joomla!, and Moodle. The system relies on metadata exchange governed by federation operators like eduGAIN and security token standards governed by OASIS (organization), with cryptographic dependencies on libraries like OpenSSL and Bouncy Castle. Administrative tooling often interoperates with directory synchronization tools like LDAP, identity provisioning systems like SCIM, and entitlement management products from vendors such as Microsoft and Oracle Corporation.

Authentication and Authorization Workflows

Shibboleth supports authentication flows based on the SAML 2.0 protocol, enabling browser redirects among entities such as Identity Providers and Service Providers, with attribute assertions used for authorization decisions. During a typical SAML flow, a user interacts via web agents including Mozilla Firefox, Google Chrome, Microsoft Edge, or Safari (web browser), and the Identity Provider may consult authentication backends such as Kerberos, RADIUS, CAS (Central Authentication Service), or social identity providers using OAuth 2.0 and OpenID Connect integration. Attribute release policies map directory attributes like eduPerson schemas defined by eduPerson and community attributes curated by federations such as InCommon; downstream authorization integrates with access control systems including XACML, Shibboleth native policy, and application-level role mapping used by platforms like Sakai (software), Blackboard Learn, and Canvas (learning management system). Multi-factor authentication can be layered using solutions from vendors like Duo Security, Yubico, and institutional authenticators linked to SAML exchanges.

Deployment and Configuration

Deployments range from on-premises installations on operating systems such as Red Hat Enterprise Linux, Ubuntu, CentOS, Windows Server, and macOS to cloud-based deployments on services like Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Configuration requires metadata management, TLS certificate lifecycle coordination with certificate authorities such as Let's Encrypt or DigiCert, and integration with federation metadata aggregators managed by entities like eduGAIN or national operators exemplified by Jisc and SURFnet. Administrators commonly use tools from projects like Ansible, Puppet, and Chef for orchestration, while containerized deployments employ Docker (software) and orchestration via Kubernetes. Logging and monitoring integrate with observability stacks such as Prometheus, Grafana, and ELK Stack components including Elasticsearch, Logstash, and Kibana.

Security and Privacy Considerations

Security design follows practices articulated by NIST, ISO/IEC 27001, and guidance from federations like InCommon concerning endpoint trust, metadata signing, and certificate management. Threats addressed include token interception, replay attacks, and metadata poisoning, mitigated by TLS, XML Signature, and XML Encryption standards maintained by W3C and IETF. Privacy considerations reference attribute minimization principles advocated by organizations such as EPIC and compliance regimes like GDPR and FERPA when handling personally identifiable information. Operational security incorporates vulnerability management processes aligned with advisories from CVE, coordinated disclosure practices exemplified by CERT Coordination Center, and security testing using frameworks like OWASP.

Adoption and Use Cases

Shibboleth is widely adopted across higher education, research, government, and commercial federations, with notable deployments at institutions such as Columbia University, University of Cambridge, ETH Zurich, National Institutes of Health, and consortia including World Wide Web Consortium-aligned projects and research infrastructures supported by European Commission funding. Use cases include campus SSO for library resources integrating with Ex Libris, federated access to e-journals from publishers like Elsevier, Springer Nature, and Wiley, collaborative research platforms interoperating with Zenodo and Figshare, and cross-organization access for services provided by vendors such as Microsoft Azure AD and Google Workspace. Federated authentication via Shibboleth underpins virtual learning environments, scholarly communication systems, and cross-border collaborations coordinated through initiatives like Horizon 2020.

Category:Identity management software