Shibboleth: How it Works?
The Shibboleth System is a standards based, open source software package that facilitates authentication of authorised users using organization’s internal identity and access management system. Shibboleth does not carry out authentication itself. Instead, it defines a set of protocols for the secure passing of identity information between institutions and service providers wherein each participating institution is required to set-up their own identity provider services for their users. Shibboleth creates a trust relationship, facilitating federated, single sign-on access and offers improved data security and convenience for end-users.Universities and colleges that have the requisite technical expertise and ICT infrastructure would be encouraged to set-up their own IDP service. As such, Shibboleth implementation at INFED @INFLIBNET Centre would work as follows:
- The service providers (publishers) will recognize INFED @ INFLIBNET Centre as a Federation. INFED, in turn, will have WAYF entries for all member institutions with their IDP
- After verifying user's credentials, IdP of the Institute will pass “user attributes” which may also contain his / her institute, department, role (faculty/student/researcher), and if agreed, whether he / she is having access to certain e-resource or not and / or any other attributes which are mutually agreed with the service provider and;
- Based on attributes passed by the IdP at their institution for a user, he / she will be allowed access to e-resource, if entitled.
Components of Shibboleth
Shibboleth consists of the following two primary components:
Identity Provider software is run by the institutions having database of users entitled, to access subscription based e-resources or services. Shibboleth leverages the organization’s identity and access management system, so that the individual's relationship with the institution can be used to determine access rights to subscription based e-resources or services. In other words, different categories of users in an institution may have access to different sets of resources based on attributes assigned to them.
Service Provider software is run by the publisher of a subscription-based e-resource or service. The Service Provider receives a set of pre-defined attributes from the Identity Provider and provides access to subscribed e-resources or services to the user depending upon the attributes received.
The INFED at INFLIBNET Centre manages the trusts between all the parties. Service Provider receives all necessary user's attributes from his / her Identity Provider which it trusts. And those attributes determine level of access a user gets from the Service Provider.
Implementation of Shibboleth @ INFLIBNET
The INFLIBNET Centre, as executing agency for the eShodhSindhu project, has taken the responsibility of authenticating users from all undergraduate colleges(members of NLIST Component of eShodhSindhu), since neither these colleges nor their affiliating universities, are equipped or have technical capabilities to run their own Shibboleth-based authentication mechanism, the INFED would host Identity Provider Services only for NLIST since it is considered to be a single entity. Institutions should setup their own IDPs as per the technical specifications defined by the INFED.
The software used for implementation of Shibboleth are all open source software developed by other projects including Shibboleth IDP (idp.war), Shibboleth SP, Open LDAP and SHARPE PostgresSQL,In house developed user creation interface, Web Server (Apache), Application Server (Tomcat), AuthN: SSOHandler used for authentication, AuthZ: Attribute Authority allowing AuthZ, HTTP, form-based or existing session / assertion (Cookie), etc.