This wiki space contains a number of topics about Shibboleth as a technical system, but most of the information is really more about SAML, which is the primary (though not only) protocol supported by the IdP and the only one supported by the SP. Understanding Shibboleth is first and foremost a matter of understanding SAML, and secondarily understanding SSO in general and the specific technologies we use to build and support the software.
There have historically not been a large number of books on SAML and even fewer of any quality or real accuracy. One we know of (not free) is SAML 2.0: Designing Secure Identity Federation by Stefan Rasmuson, who has older books on OpenSAML itself, so is familiar with some of the Shibboleth code. |
The Shibboleth software is a web-based single sign-on system made up of three components:
The following diagram shows the interaction between the user, located at their web browser, the IdP, located at the home organization, and the SP, located at the resource organization.
Given this very basic familiarity with the Shibboleth components and their interactions, the following documentation provides further detail. The section Understanding the Basics provides further information about the concepts and components within Shibboleth. The Identity Provider and Service Provider sections give further details relating specifically to their respective components.
Describes the goals of the Shibboleth software and the environments in which it operates. | |
Describes the general flow through the system. | |
Describes what metadata is and how it is used by Shibboleth. | |
Discusses what a user session is and a Shibboleth session differs from normal web application sessions. | |
Describes what Name Identifiers are and how they are used. | |
A glossary of terms used throughout this wiki. |
Entity Naming | Naming guidelines for systems |
Attribute Naming | Naming guidelines for attributes |
Describes how one Shibboleth component identifiers itself to, and trusts, another. | |
Describes how a service provider determines a user's identity provider. | |
Advanced Uses | Discussion of more advanced use cases. |
Describes the different request/response types that Shibboleth supports. |
Relying Parties | Describes how the IdP identifies and interacts with relying parties. |
Sessions | Describes how the IdP establishes and maintains sessions. |
Describes how the IdP uses metadata. | |
Attribute Storage | Discussion of attribute storage and access. |
Describes the skill set an IdP deployer should have. |
Sessions | Describes how the SP establishes and maintains sessions. |
Describes how the SP uses metadata. | |
Attribute-based Access Control | Discusses how information form the IdP can be used to control access to a resource. |
Describes the skill set an SP deployer should have. |