Shibboleth: How it Works?
The Shibboleth System is a standards based, open source software package that facilitates authentication of authorised users using organization’s internal identity and access management system. Shibboleth does not carry out authentication itself. Instead, it defines a set of protocols for the secure passing of identity information between institutions and service providers wherein each participating institution is required to set-up their own identity provider services for their users. Shibboleth creates a trust relationship, facilitating federated, single sign-on access and offers improved data security and convenience for end-users. However, since most universities and colleges do not have requisite technical know-how and ICT infrastructure to set-up their own identity provider services at present, INFED @ INFLIBNET would act as an IDP for all its member universities and colleges. Universities and colleges that have the requisite technical expertise and ICT infrastructure would be encouraged to set-up their own IDP service. As such, Shibboleth implementation at INFED @INFLIBNET Centre would work as follows:
- The service providers (publishers) will recognize INFED @ INFLIBNET Centre as a trusted organization for authenticating user and would give an option on their Web site to select (WAYF) INFED, INFLBNET as an Identity provider service. INFED, in turn, will have WAYF entries for all member institutions with their IDP
- Since INFED may serve as an IDP for all its member institutions, individual institutions would not be required to set-up their separate IDP and publisher would not be required to maintain separate links for each institution, However universities and colleges would be encouraged to set-up their own IDPs gradually
- When a user chooses INFED at INFLIBNET, he / she may be re-directed to IDP link at INFLIBNET Server
- After verifying user's credentials, IDP at INFED at INFLIBNET will pass “user attributes” which may also contain his / her institute, department, role (faculty/student/researcher), and if agreed, whether he / she is having access to certain e-resource or not and / or any other attributes which are mutually agreed with the service provider and;
- Based on attributes passed by the INFED at INFLIBNET for a user, he / she will be allowed access to e-resource, if entitled.
Components of Shibboleth
Shibboleth consists of the following two primary components:
Identity Provider software is run by the institutions having database of users entitled, to access subscription based e-resources or services. Shibboleth leverages the organization’s identity and access management system, so that the individual's relationship with the institution can be used to determine access rights to subscription based e-resources or services. In other words, different categories of users in an institution may have access to different sets of resources based on attributes assigned to them. In case of Shibboleth implementation at INFED, participating universities and colleges would register themselves for creation of an identity management system using college administrative interface. A trusted officer (Administrative or Technical Contact) nominated by the college/university authorities, will be responsible for maintaining identity management system for a given college on the INFED Server.
Service Provider software is run by the publisher of a subscription-based e-resource or service. The Service Provider receives a set of pre-defined attributes from the Identity Provider and provides access to subscribed e-resources or services to the user depending upon the attributes received.
The INFED at INFLIBNET Centre manages the trusts between all the parties. As a result, when a user wants to access a protected service at an external SP, instead of creating guest account for external users it allows an SP to leverage the users account with his / her institution to access it. In other words, the Service Provider receives all necessary user's attributes from his / her Identity Provider which it trusts. And those attributes determine level of access a user gets from the Service Provider.
Implementation of Shibboleth @ INFLIBNET
The INFLIBNET Centre, as executing agency for the eShodhSindhu project, has taken the responsibility of authenticating users from all undergraduate colleges(members of NLIST Component of eShodhSindhu), since neither these colleges nor their affiliating universities, are equipped or have technical capabilities to run their own Shibboleth-based authentication mechanism, the INFED would host Identity Provider Services that would virtually serve all colleges.All institutions (i.e. Universities, CFTIs and Others that are members of the eShodhSindhu Consortium would also be allowed to host and maintain their Identity database at the INFED Server. However, institutions that have technical capabilities, requisite technical know and necessary computing and network infrastructure would be encouraged to set-up their own IDPs as per the technical specifications defined by the INFED. Since the Shibboleth model is designed to run on separate distributed Identity Provider Services located in the participating institutions, necessary changes have been made in software in order to host multiple Identity Provider Services virtually on servers hosted at the INFED.
The software used for implementation of Shibboleth are all open source software developed by other projects including Shibboleth IDP (idp.war), Shibboleth SP, Open LDAP and SHARPE PostgresSQL,In house developed user creation interface, Web Server (Apache), Application Server (Tomcat), AuthN: SSOHandler used for authentication, AuthZ: Attribute Authority allowing AuthZ, HTTP, form-based or existing session / assertion (Cookie), etc.