do it. think it. blog it! ... a twisted world

The open-source Shibboleth System extends Web-based applications and identity management for secure access to resources among multiple organizations

The Shibboleth System includes two major software components: the Shibboleth Identity Provider (IdP) and the Shibboleth Service Provider (SP). These two components are deployed separately but work together to provide secure access to Web-based resources. A step-by-step description of the Shibboleth sign-on process follows. While the details may vary based on deployment choices, the steps below are typical. The players include the user, who wants to use a protected Web resource; the resource provider Web site, which has installed the Shibboleth SP software; and the user's home organization, which has installed the Shibboleth IdP software.

• The user navigates to the Web resource using her browser. The resource site is protected, hence requires information about the user in order to decide whether access is permitted.
• The Shibboleth SP software redirects the browser to a "navigation" page (called a WAYF, for "where are you from"), which presents the user with a list of the organizations whose users may access the resource.
• The user selects her home organization, and the browser is sent to the home organization's Web site running the Shibboleth IdP software. This site uses a Web sign-on method chosen by the home organization. The user now sees the familiar login Web page of her home organization, enters her username and password, and selects the Login button.
• The Shibboleth IdP software sends the browser back to the original resource site and includes in the message some security information called an "assertion" that proves the user signed on. The Shibboleth SP software on the resource site validates the assertion and then requests additional information (attributes, such as "faculty" or "student in Film327") about the user by making a request to the home organization's Shibboleth IdP service.
• The Shibboleth SP receives the user's attributes from the home organization's IdP and passes them along to the resource provider's Web application. The application uses those attributes and its access policy to decide whether the user's access is permitted or denied, displaying the appropriate page to the user's browser.

Often, many of these steps can be skipped. The WAYF can set a cookie in the user's browser so that the user doesn't see that page the next time through. If the home organization's Web authentication service uses single sign-on and the user already has a session with it, the login page won't be seen. In many cases the user can get access to the resource without seeing any intermediate Web pages at all. The process above resembles other Web sign-on schemes. In the rest of this section we present the features that distinguish the Shibboleth System.