LLMpediaThe first transparent, open encyclopedia generated by LLMs

Shibboleth Service Provider

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: DFN-AAI Hop 5
Expansion Funnel Raw 76 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted76
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Shibboleth Service Provider
NameShibboleth Service Provider
DeveloperInternet2, University of Illinois Urbana–Champaign
Released2005
Programming languageC++
Operating systemLinux, FreeBSD, Microsoft Windows
PlatformApache HTTP Server, NGINX
LicenseApache License

Shibboleth Service Provider is an open-source implementation of a federated SAML-based identity provider integration component that enables web applications and resources to leverage external identity providers for authentication and attribute-based access control. It is commonly deployed by universities, research organizations, and government agencies to connect institutional directories with federations such as InCommon, eduGAIN, and GÉANT. The project builds on standards and interoperates with a wide range of web servers, directory services, and federation operators.

Overview

The software implements the SAML 2.0 Web Browser SSO Profile to facilitate single sign-on between relying party resources and remote Identity Providers operated by institutions such as Harvard University, Stanford University, Massachusetts Institute of Technology, and consortia like Internet2. It is designed to process SAML assertions, map attributes from sources such as LDAP directories at organizations like University of California, Berkeley or University of Oxford, and enforce access control policies consistent with federations including InCommon and eduGAIN. The project often complements software such as SimpleSAMLphp, mod_auth_mellon, and enterprise solutions from vendors like Microsoft and Okta.

Architecture and Components

The core architecture comprises a native C++ service that integrates with Apache HTTP Server via modules and with reverse proxies like NGINX through FastCGI or native handlers. Key components include the SAML protocol engine, attribute resolver, session management, and policy enforcement point. The attribute resolver supports inputs from LDAP, Kerberos realms managed by MIT, and attribute authorities operated by federations such as GÉANT. The session handling integrates with web containers such as Tomcat and application servers like WildFly and Jetty, while metadata handling consumes federation metadata published by organizations including InCommon and Internet2.

Deployment and Configuration

Administrators typically deploy the software on reverse proxy front-ends or dedicated gateway servers colocated with applications in datacenters operated by entities such as Amazon Web Services, Google Cloud Platform, or institutional facilities at University of Michigan. Configuration centers on XML-based configuration files for entity descriptors, metadata providers, and security policies, with support for dynamic metadata via federation feeds from eduGAIN or federated operators like Cloudflare in edge scenarios. Integration with directory services involves connectors for OpenLDAP, Microsoft Active Directory, and federated attribute providers run by consortia including Scholars Portal and CALNET. Administrators often use automation tools from Ansible, Puppet, or Chef to manage large deployments.

Authentication and Authorization Flow

A typical flow begins when a user attempts to access a protected resource served by Apache HTTP Server or an application hosted on Tomcat; the Service Provider redirects to an Identity Provider such as those operated by Yale University or Princeton University using a SAML 2.0 AuthnRequest. The Identity Provider authenticates the user—possibly via Duo Security multi-factor authentication, Shibboleth Identity Provider software, or campus CAS—then issues a SAML assertion containing attributes sourced from LDAP or attribute authorities run by ORCID or FLAG partners. The Service Provider validates signatures against metadata published by federations like InCommon and enforces authorization via attribute filters, attribute maps, and access control policies mapped to entitlements used by services such as Elsevier or JSTOR.

Integration and Compatibility

The Service Provider interoperates with SAML-compliant Identity Providers including implementations by Shibboleth Consortium, SimpleSAMLphp, and commercial products from Microsoft and Ping Identity. It supports attribute formats and name identifiers used by federations including eduPerson and can consume metadata from sources such as InCommon and eduGAIN while integrating with institutional directories like OpenLDAP and Active Directory Federation Services. It also integrates with federated research infrastructures operated by CERN, European Grid Infrastructure, and national research networks like CANARIE and JANET for resource access.

Security and Privacy Considerations

Security relies on correct handling of XML signatures, TLS endpoints managed with certificates from Let's Encrypt, DigiCert, or institutional certificate authorities, and strict metadata trust anchors published by InCommon and eduGAIN. Administrators must mitigate threats such as assertion replay, metadata poisoning, and attribute disclosure by configuring signature validation, enforcing audience restrictions, and applying attribute filtering policies compatible with privacy frameworks from organizations like ERIC and ORCID. Privacy-aware deployments limit attribute release, log minimal personally identifiable information, and comply with regional laws such as GDPR where applicable to institutions in European Union member states and national policies from bodies like NIST in the United States.

Performance and Scaling

Scale strategies include horizontal scaling of Service Provider instances behind load balancers from vendors like F5 Networks or cloud services such as Amazon Elastic Load Balancing, metadata caching via local mirrors, and session affinity with proxies including HAProxy. Performance tuning often addresses SAML processing overhead by optimizing XML parser settings, leveraging compiled cryptographic libraries like OpenSSL, and using persistent connections to backend directories such as OpenLDAP or Active Directory. Large federations including InCommon and research infrastructures like GÉANT prescribe metadata distribution practices to support thousands of entities and peak authentication loads during events hosted by IEEE, ACM SIGCOMM, or major academic registration windows.

Category:Federated identity