Supported Protocols
- Scott Cantor
- ChadC
- Thomas Lenggenhager
Shibboleth Implemented Protocols and Profiles
Below is a list of the protocols and profiles supported by the "current" Shibboleth products, which are generally the same as older versions, but any differences are noted.
A YES does not indicate that every possible option has been implemented as some protocol/profiles have many tens or hundreds of possible options. It does indicate that at minimum all required options are supported.
Some protocol implementations may not be available in the base download, but are available as extensions.
Identity and Service Provider
Protocol/Profile | Identity Provider | Service Provider |
|---|---|---|
SAML 1.1 1 | ||
| YES | YES |
| YES | YES |
| YES | YES 2 |
| YES | YES |
SAML 2.0 | ||
| YES | YES |
| YES | YES 2 |
| YES | YES |
| YES | YES |
| YES 4 | YES |
| NO | YES 3 |
| NO | NO |
WS-Federation Passive (ADFS) | NO | YES |
WS-Trust 1.3 | NO | NO |
OpenID 1 | NO | NO |
OpenID 2 | NO | NO |
OAuth 2 | YES 5 | NO |
OpenID Connect | YES 6 | NO |
CAS | YES 7 | NO |
1 Support for SAML 1.0 is minimal and mostly accidental with modern releases. Support for SAML 1.1 in the IdP is approaching “deprecated/at-risk” status with V5.0 and may disappear in the future. Anybody still using SAML 1.1 should absolutely be prioritizing migrating off of it.
2 Implemented as part of SSO profile support, exposed through additional features in SP 2.6 and later.
3 Implemented only in the form of application notification hooks for IdP-initiated protocol. SP-initiated not supported.
4 A first implementation of real Single Logout was added in IdP V3.2.
5 An official plugin is available for V4.1+.
6 A supported third-party extension is available for V3/V4.0 and and official plugin is available for V4.1+
7 Introduced in IdP V3, see documentation for specifics on features.
Discovery Services
Protocol/Profile | Embedded DS |
|---|---|
Shibboleth 1 Discovery (WAYF) Protocol | NO |
SAML 2 Discovery Service Protocol | YES |