Shibboleth Overview
Introduction
Shibboleth is a federated identity solution primarily used in academic and research communities to facilitate Single Sign-On (SSO) across multiple institutions, very comparable to OpenAthens. The difference is that OpenAthens is a hosted service whereas Shibboleth is an open source project. It enables seamless access to resources hosted by multiple organizations using one set of credentials verified by their home institution. This is particularly useful in environments where users from various institutions need access to services and data hosted by another entity.
Shibboleth vs OpenAthens
Here's a comparison between Shibboleth and OpenAthens:
| Feature | Shibboleth | OpenAthens |
|---|---|---|
| Type | Open-source | Managed service |
| Hosting | Self-hosted | Cloud-based |
| Setup | Complex, requires IT resources | Easy, managed by OpenAthens |
| Standards | SAML | SAML, OAuth, OpenID Connect |
| Cost | Free (but needs maintenance) | Paid subscription |
Technological Overview
Shibboleth operates based on the framework provided by the Security Assertion Markup Language (SAML), ensuring secure exchanges of user authentication data between identity providers and service providers.
Here's a simplified diagram depicting how Shibboleth operates in a scenario where Statista acts as the content provider:
sequenceDiagram
participant U as User
participant SP as Service Provider (statista.com)
participant DS as Discovery Service
participant IdP as Identity Provider
U->>SP: Request access to content
SP->>U: Redirect to Discovery Service
U->>DS: Select Home Institution
DS->>U: Redirect to IdP
U->>IdP: Authenticate
IdP->>U: SAML Assertion
U->>SP: SAML Assertion (via user's browser)
SP->>SP: Validate SAML Assertion
SP->>U: Grant Access to ContentComponents
- User (U): The individual requiring access to the content.
- Service Provider (SP: statista.com): The platform hosting the content that users want to access.
- Discovery Service (DS): A component that might be used if there are multiple Identity Providers, helping the user select their home institution.
- Identity Provider (IdP): The user's home institution that authenticates the user and issues the SAML assertion.
Shibboleth servers
The DNS shibboleth.statista.com terminates on a load balancer, that has two EC2 instances as its target. The main configuration for the Shibboleth application server lies in the /etc/shibboleth/ directory (along with the certificates).
Besides the Shibboleth services, the EC2 instances also run an Apache2 server which delivers an index.php page. This page is located in /var/www/html and takes care of redirecting requests to e.g. the correct "platform" (like de.statista.com), based on the locale of the user's browser.