• United States

Shibboleth could be framework for identity management

Jul 09, 20033 mins
Access ControlEnterprise Applications

* Shibboleth aims to define a federated system of authentication and authorization

Internet2 (I2) is a university-led consortium of educational, corporate and governmental institutions that is designing – and implementing – a “parallel universe” Internet. In fact, the group is essentially re-creating the old Internet which was controlled by the educational community (but allowed other entities to be on-board, once they were approved) and which was used primarily for research (as opposed to commercial) purposes. There’s no AOL on Internet2 and, while Microsoft’s Research division is a member, there’s no MSN either.

What brings I2 up on our radar is the recent release of Shibboleth Version 1.0.

According to I2, Shibboleth is a project to develop “architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of Web resources subject to access controls. In addition, Shibboleth will develop a policy framework that will allow inter-operation within the higher education community.”


What that means, in conversational language, is that Shibboleth is the technology to define and implement a federated system of authentication and authorization. You could call it an open source implementation of the Liberty Alliance specification, except Liberty isn’t proprietary.

And just as the Liberty specification is based on Security Assertion Markup Language (SAML), so too is Shibboleth based on the OpenSAML ( libraries.

There’s nothing inherent in Shibboleth to keep it only for Internet2. It could easily be used on Internet1 (a.k.a. “the Internet” – complete with AOL and MSN) by any group of Web sites that were interested. I say group because, like the Liberty spec, Shibboleth isn’t intended for single-site usage. That would be like looking in a mirror and saying, “yep, that’s me!” Hardly the basis for an identity management solution.

The major functions and parts of Shibboleth are:

* Federated administration – Similar functionality to Liberty’s “Circle of Trust.”

* Access control based on attributes – Target sites pick and choose among attributes asserted by the origin site on behalf of (and with the permission of) the user.

* Active management of privacy – The user controls release of attributes absolutely.

* Standards-based – SAML (via OpenSAML) and the Liberty specification form the basis of Shibboleth.

* A framework for multiple, scaleable trust and policy sets – Called “Clubs,” they specify a set of parties that have agreed to a common set of policies. This moves the trust framework beyond bilateral agreements.

* A standard (yet extensible) AttributueValue vocabulary – Shibboleth has defined a standard set of attributes. The downer here is the use of something called the “eduPerson” object class that includes widely-used person attributes in higher education as the first created class. I’m not fully convinced that “person attributes in higher education” are that different from the attributes used by, say, OrgPerson in the standard LDAP-based class hierarchy.

With that caveat, I think you should take a look at the Shibboleth definition. If you and your organization aren’t participating in the work of I2 this would be a very good reason to get involved. I’d like to see Shibboleth (or some similar identity management framework) built-in as a necessary feature of I2, but then I’d like to see I2 expand to encompass more than just ivory tower research.