Shibboleth authentication tool upgraded
Open-source suite for federated identity management gets improved security, easier management
- By William Jackson
- Apr 22, 2008
Internet2 has announced a major release of its Shibboleth federated authentication suite, with added new encryption features from the SAML 2.0 standard, and improving ease of implementation and management of anonymous identifiers for users.
Shibboleth is an open source identity management tool that lets cooperating institutions share information about the identity of network users so users can get access to resources in the federation with a single sign-on. Internet2, an advanced educational and research networking consortium, announced the release of Shibboleth2 April 21 at its spring membership meeting in Arlington, Va.
Identity management is a key component of access control; it allows organizations to control access to online resources based on privileges assigned to a user who authenticates to the systems. Federated identity management allows multiple organizations to leverage identity information residing in different locations. Organizations in the federation share standards and processes for assigning identity, implementing directory schema to provide a consistent set of user attributes among the federating organizations. Tools such as Shibboleth provide a common a technology platform for accessing and applying the identity information.
Shibboleth, originally based on version 1.1 of the OASIS Security Assertion Markup Language, is used widely in the academic research community, providing a secure, single-sign on mechanism for users to access protected online resources within their campuses and from their external service provider partners.
This enables collaboration between students and faculty at different institutions and eases the process of conducting research across multiple institutions.
Shibboleth authenticates users at their home institutions and passes the relevant information, or attributes, to the institution that provides the online services being accessed. Attributes can
include a range of information characterizing the user, such as identity, permissions at the service provider, employee or student status, class enrollment, age and graduating class. The service provider and institution make agreements on which attributes are needed to make that user eligible to access resources.
Shibboleth 2.0 adds an implementation of the SAML 2.0 standard to the suite of protocol implementations, adding security features to protect users' information. It includes encryption technology specified in SAML 2.0 and provides an improved method for usage logging at the home institution to better track abuse or inappropriate use of the system.
The new release also enhances the use and management of anonymous identifiers to protect user privacy. The identity provider assigns a persistent unique identifier to a specific user. This allows service providers to tailor services to the needs of that user without knowing the specific identity. For instance, a student researching articles in an online medical journal could save the searches using the anonymous identifier and build on the research over time. This is transparent to the user, who does not have to know the identifier.
From an operational perspective, the new version of Shibboleth makes it easier for information technology staff members at the identity and service provider institutions to install, operate and manage the software. Shibboleth 2.0 allows institutions to use their legacy directory schema by translating the data into the federation-specific attributes as needed in real time, greatly decreasing the resources needed to implement the solution.
William Jackson is freelance writer and the author of the CyberEye blog.