LLMpediaThe first transparent, open encyclopedia generated by LLMs

Shibboleth Identity Provider

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: DFN-AAI Hop 5
Expansion Funnel Raw 103 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted103
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Shibboleth Identity Provider
NameShibboleth Identity Provider
DeveloperInternet2 Consortium; Shibboleth Consortium
Released2003
Latest release(varies)
Programming languageJava
Operating systemLinux; Microsoft Windows; macOS; Solaris
LicenseApache License 2.0

Shibboleth Identity Provider is an open-source software component that implements a SAML-based authentication and attribute release service for federated identity systems. It enables institutions such as Stanford University, Massachusetts Institute of Technology, University of Oxford, University of Cambridge, and University of California, Berkeley to authenticate users and convey attributes to relying parties like Google, Microsoft, Amazon Web Services, Elsevier, and Springer Nature. Widely used across research and education federations including eduGAIN, InCommon, JISC, GÉANT, and Australian Access Federation, it functions as a server-side application written primarily in Java (programming language) and integrates with enterprise directories and single sign-on solutions such as LDAP, Active Directory, Shibboleth Service Provider, and CAS (Central Authentication Service).

Overview

Shibboleth Identity Provider sits within federated identity architectures alongside identity providers like Okta, Ping Identity, Auth0, Keycloak, and Microsoft Active Directory Federation Services. It supports standards developed by bodies including the OASIS Technical Committee and the SAML 2.0 specification, facilitating interactions with service providers operated by organizations such as Elsevier, IEEE, Wiley, ProQuest, and Clarivate. Deployments commonly occur at higher education institutions, research laboratories like CERN, governmental research agencies such as NASA, and non-profits like Internet2 and The Apache Software Foundation, enabling campus-wide single sign-on and fine-grained attribute release policies.

Architecture and Components

The Identity Provider comprises modular components: the authentication engine, attribute resolver, attribute filter, session management, and SAML endpoints. Authentication backends connect to directories and services including Microsoft Active Directory, OpenLDAP, Oracle Directory Server, CAS, and Kerberos (protocol). The attribute resolver integrates with attribute stores such as SQL databases used by PostgreSQL, MySQL, or Oracle Database and supports transformations similar to those in Apache Directory Studio tooling. SAML endpoints exchange protocol messages with service providers like Shibboleth Service Provider, SimpleSAMLphp, Lua SAML deployments, and commercial platforms from Salesforce and Box. Logging and telemetry integrate with observability stacks including ELK Stack, Prometheus, and Grafana in environments run by organizations like Red Hat and Canonical.

Deployment and Configuration

Administrators deploy the Identity Provider on operating systems such as Red Hat Enterprise Linux, Ubuntu, Windows Server, and Solaris using Java application servers like Apache Tomcat, Jetty, or WildFly. Configuration files define entity descriptors, metadata, and attribute release policies consumed by federations such as InCommon and eduGAIN. Integration scenarios reference metadata providers including MDQ (Metadata Query Protocol) endpoints maintained by GÉANT and TERENA-affiliated institutions. Certificate management interoperates with public key infrastructures run by Let's Encrypt, DigiCert, and enterprise CAs like Entrust, while secrets and keys may be stored using vaults such as HashiCorp Vault or Azure Key Vault.

Security and Protocols

Security relies on standards and practices championed by OASIS, IETF, and federations like eduGAIN and InCommon. The IdP implements SAML 2.0 bindings and supports extensions including SAML metadata descriptors, digital signatures, and XML encryption. It integrates with authentication flows leveraging LDAP binds, Kerberos tickets, RADIUS backends used by institutions like Internet2 participants, and multi-factor systems such as Duo Security, YubiKey, and FIDO2 authenticators promoted by World Wide Web Consortium. Threat mitigation follows guidance from organizations like National Institute of Standards and Technology and ENISA and employs secure TLS configurations recommended by IETF and implemented via OpenSSL or BoringSSL.

Integration and Interoperability

The Identity Provider interoperates with service providers and catalogues including Shibboleth Service Provider, SimpleSAMLphp, OpenAthens, CILogon, Globus, and commercial SaaS offerings from Google Workspace, Microsoft 365, Amazon Web Services, and Zoom Video Communications. It consumes federation metadata from operators such as InCommon, eduGAIN, UK Access Management Federation, and Australian Access Federation to establish trust with entities like Elsevier, Springer Nature, and Wiley. Attribute release and consent workflows can be aligned with policies from organizations like JISC and TERENA, while identity assurance levels reference frameworks from NIST and eIDAS.

Performance and Scaling

Scaling strategies mirror architectures used by large institutions such as Harvard University and University of California systems: horizontal scaling of application nodes behind load balancers like HAProxy or NGINX, session replication via databases like PostgreSQL or caching layers such as Redis, and metadata caching to reduce latency to federated partners including eduGAIN endpoints. Benchmarks performed by university IT groups compare throughput with other solutions like Keycloak and PingFederate under peak loads seen during academic enrollment or publisher resource access. High-availability setups use orchestration platforms like Kubernetes and configuration management from Ansible or Puppet for deployments at scale.

History and Development

Development originated within projects led by Internet2 and contributors from institutions including MIT, University of California, Berkeley, University of Michigan, and Indiana University in the early 2000s. It evolved alongside standards efforts at OASIS and the publication of SAML 2.0, with governance contributions from the Shibboleth Consortium and collaborative operations by federations such as InCommon and GÉANT. Over time, the project incorporated features to interoperate with cloud providers like Amazon Web Services and identity vendors including Okta and Ping Identity, and has been adopted by a wide spectrum of research, education, and commercial organizations worldwide.

Category:Identity management software