Scott Penrose


Scott is an expert software developer with over 30 years experience, specialising in education, automation and remote data.

Shibboleth - implementation of SAML



In 2006 I wrote a Shibboleth Service Provider which was used in [[Becta?]] testing service. It not only provided the basic Shibboleth Service Provider requirements but also mapped the users to the local directory by automatic and manual process. The manual process involved asking the user for their local credentials, and keeping those for the next login.

In 2007 I designed a IdP - Identity Provider - integration project which was started but not yet complete.

See Also

  • [[Open_ID?]]

My Opinion

Shibboleth and OpenSAML are implementations of SAML, which in my opinion is a complicated set of tools for single sign on and attribute passing. The problem is there is no simple method to implement something like Shibboleth Light, and still have it work. [[Open_ID?]] is a better solution for the single account, it has yet to achieve single sign on however as it does not support the idea of a WAYF - Where Are You From server.

Shibboleth also suffers from no central WAYF. Universities in Australia make up a Federation (group of people where their SSL keys are signed by a central body, so you don't have to do bilateral agreements). Now as a SP (service provider) I might want to be part of the UK High Schools Federation and the Universities of Australia Federation - the problem is that there is no WAYF to know that answer, thus you end up having to give the user that question - thus there is still no single sign on.

One of the reasons for the problems with Shibboleth is also its greatest advantage - attribute sharing.

We need three protocols, all independent, but with the ability to operate together.

  • Single Account authentication - [[Open_ID?]] fits in nicely here.
  • Single Sign On - some way of knowing, maybe automatically which Open ID provider to go to. There is some work on Browser Plugins to do this, but it is not ideal.
  • Attribute sharing - if we had this, and a web of trust, we could ask a user for anything - e.g. their phone number. This is achievable on walled cities such as [[Facebook?]] and other community servers. In my mind this is like the days of AIM or Microsoft Mail - it was all within the one system. SMTP allows us to have our own systems, Jabber allows us to have our own instant messaging - now we need the same for attribute sharing and [[Web_of_Trust?]].