Shibboleth Implemented Protocols and Profiles
Below is a list of the protocols and profiles supported by the "current" Shibboleth products, which are generally the same but any differences are noted.
- A YES does not indicate that every possible option has been implemented as some protocol/profiles have many tens or hundreds of possible options. It does indicate that at minimum all required options are supported.
- Some protocol implementations may not be available in the base download, but are available as extensions.
Identity and Service Provider
Protocol/Profile | Identity Provider | Native Service Provider |
---|---|---|
SAML 1.1 1 | ||
| YES | YES |
| YES | YES |
| YES 4 | YES 2 |
| YES | YES |
SAML 2.0 | ||
| YES4 | YES |
| YES 4 | YES 2 |
| YES | YES |
| YES | YES |
| YES 5 | YES |
| NO | YES 3 |
| NO | NO |
WS-Federation Passive (ADFS) | NO | YES |
WS-Trust 1.3 | NO | NO |
OpenID 1 | NO | NO |
OpenID 2 | NO | NO |
OAuth | NO | NO |
OpenID Connect | YES 6 | NO |
CAS | YES 7 | NO |
1 Support for SAML 1.0 is minimal and mostly accidental with modern releases.
2 Implemented as part of SSO profile support, exposed through additional features in SP 2.6 and later.
3 Implemented only in the form of application notification hooks for IdP-initiated protocol. SP-initiated not supported.
4 Implemented to rely on SPSSODescriptor role in metadata, no support for query extension role as yet.
5 A first implementation of real Single Logout was added in IdP 3.2 and is still under active development.
6 A supported third-party extension is available for V3 and was migrated to a Shibboleth git repository for V4. Substantial configuration instability should be expected between now and an eventual "stable" version delivered with V5 (no sooner than 2021).
7 Introduced in IdP V3, see documentation for specifics on features.
Discovery Services
Protocol/Profile | Embedded DS |
---|---|
Shibboleth 1 Discovery (WAYF) Protocol | NO |
SAML 2 Discovery Service Protocol | YES |