Single Sign-On and Shibboleth
Shibboleth is an open source software product that implements SAML (Security Assertion Markup Language). It consists of three functional parts:
- the identity provider (IdP): This component is associated with the institutional identity and access management resources and is used to manage user authentication sessions and supply attributes bound to the user to service providers for authorization.
- the service provider (SP): This component is bound to the web service or server that is implementing access control.
- the browser: The client is normally a web browser although SAML does support enhanced clients and proxies.
Shibboleth IdPs and SPs securely exchange authentication, authorization and configuration information with one another via an xml metadata file. IdPs and SPs listed in the metadata file typically form a federation. A federation is mainly a trust relationship, for example membership in the federation extends access to default user attribute information that can be used for authorization checking. Security of messaging between IdP and SPs is mainly handled by applying cryptography at various levels. For example, SAML messages are usually digitally signed, and can be encrypted.
The following site provides complete documentation and information on Shibboleth:
At the University of Toronto, there are three Shibboleth federations in service:
- University of Toronto webSSO federation (known as the UTORauth weblogin service ): this consists of the production IdP service run by ITS and SPs run by University departments and divisions. Note that this service will replace the use of Pubcookie as the underlying webSSO technology.
- Canadian Access Federation: this consists of IdPs from higher-ed institutions across Canada and SPs for higher-ed institutions and commercial service providers.
- live@edu federation: this is a bilateral federation between the University and Microsoft for the purpose of providing access to the UTMail+ service.
University Single Sign-On Federation
To install, configure and operate a shibboleth service provider under weblogin, consult the documentation page here:
To use attributes supplied by the IdP, consult the following page:
There is a testbed environment for testing of non-standard configuration or newer functionality. Please email the following with details:
For ITS - EASI developer staff, please consult the following to make use of the development shib environment:
Canadian Access Federation
The CAF is a Canada-wide SAML federation operated by CANARIE. There are over a dozen higher-ed IdPs and a number of commercial SPs participating. Note that service providers can configure access to their applications from any or all of the community members associated with the higher-ed IdPs. For more information:
Access to the Microsoft live@edu service is provided using SAML and Shibboleth. There are two components to the design - the first is regular web access via the SAML HTTP/POST profile. The second is rich client access for IMAPS and ActiveSync clients via the SAML Enhanced Client Proxy (ECP) profile. ECP is being focused on in the worldwide higher-ed community as technology to provide federated acccess for non-web clients - a very promising and desirable feature.
SAML (security assertion markup language) technology is an XML-based protocol and OASIS standard used to exchange authentication and authorization information securely in a variety of environments. It is being deployed at the University to provide webSSO services. It enables the following features:
- web single sign-on for intranets as well as across organizational boundaries.
- integrated authentication and authorization services.
- support for a federated identity - an identifier that can be used to map the identity of users outside an organization to a local user account.
OASIS privides a concise, easy to read technical overview of SAML and its use cases here: