Shibboleth

What is Shibboleth?

Shibboleth is a web-based software tool that supports single sign-on (SSO) between two applications or between two organizations. It is an open-source tool and mainly used for Single Sign-On (SSO) using SAML protocol. Shibboleth can not implement SSO with protocols as OAuth or OpenID connect.

It helps sites make informed authorization decisions for accessing protected resources. Shibboleth provides federated identity-based authentication and authorization that allows cross-domain Single Sign-On (SSO) and removes the need for access credentials.

Shibboleth web-based Single Sign-On (SSO) system contains three Components:

  • Identity Provider (IDP) - An identity provider (IDP) creates, maintains, and manages user identities and information. Identity Providers are responsible for user authentication and providing required user information to the Service Provider (SP).
  • Service Provider (SP) - Service provider (SP) receives authentications assertions from the Identity provider and authenticates the user.
  • Discovery Sevice (DS) - It helps the Service Provider to discover the user’s Identity Provider. It may be located anywhere on the web and most of the time does not require.

Shibboleth SSO Workflow

The below diagram shows the common workflow of single sign-on (SSO) and interaction between User, Identity Provider (IDP) and Service Provider (SP).


shibboleth sso workflow


Shibboleth SSO flow with miniOrange IDP

shibboleth workflow


The authentication process using Identity Provider (IDP), takes place in the following steps:

  1. The user reaches for a Service provider (website) for accessing the resources.
  2. Service Provider figure outs the Identity provider (IDP) with the help of miniOrange discovery service and authenticates the user with the Identity Provider (IDP).
  3. Identity Provider checks if any active session is going on if it not then it asks the user to enter the credentials and the authentication request is sent to IDP.
  4. Identity Provider (IDP) sends an authentication response to the Service Provider (SP).
  5. After authenticating the user with Identity Provider (IDP) Service Provider (SP) grants access to the user.

Limitations of Shibboleth

  1. Shibboleth support limited protocols such as SAML.
  2. Support and customization are not available because shibboleth is open-source, unlike other vendors who provide full support.
  3. Shibboleth is more complex to set up and configure. The configuration is more involved.
  4. Shibboleth only supports Supports SAML 1 and SAML 2 and features up to Shibboleth 2.4 protocols.

Shibboleth Vs miniOrange IDP

Feature Shibboleth miniOrange IDP
Multi-Protocol support Supports only a few authentication protocols, like SAML1 & SAML 2 Fully supports all protocols for Authentication. miniOrange supports SAML, SAML 2, JWT, OAuth, OpenID Connect, CAS and more.
Configuration & Setup Require a more complex setup and configuration. Easy to set up and configure
Support As it is open-source limited support is provided. miniOrange provides 24*7 active support.
Multiple SP and IDP support It requires customization. miniOrange can act as an Identity broker and support authentication for multiple apps & IDPs

Related Articles: