HomePage RecentChanges Shibboleth

Shibboleth - implementation of SAML

References

Experience

In 2006 I wrote a Shibboleth Service Provider which was used in [[Becta?]] testing service. It not only provided the basic Shibboleth Service Provider requirements but also mapped the users to the local directory by automatic and manual process. The manual process involved asking the user for their local credentials, and keeping those for the next login.

In 2007 I designed a IdP - Identity Provider - integration project which was started but not yet complete.

See Also

My Opinion

Shibboleth and OpenSAML are implementations of SAML, which in my opinion is a complicated set of tools for single sign on and attribute passing. The problem is there is no simple method to implement something like Shibboleth Light, and still have it work. [[Open_ID?]] is a better solution for the single account, it has yet to achieve single sign on however as it does not support the idea of a WAYF - Where Are You From server.

Shibboleth also suffers from no central WAYF. Universities in Australia make up a Federation (group of people where their SSL keys are signed by a central body, so you don't have to do bilateral agreements). Now as a SP (service provider) I might want to be part of the UK High Schools Federation and the Universities of Australia Federation - the problem is that there is no WAYF to know that answer, thus you end up having to give the user that question - thus there is still no single sign on.

One of the reasons for the problems with Shibboleth is also its greatest advantage - attribute sharing.

We need three protocols, all independent, but with the ability to operate together.

Software error:

Can't locate object method "endform" via package "CGI" at /data/scott.dd.com.au/wiki/modules/search.pl line 15.

For help, please send mail to the webmaster (webmaster@dd.com.au), giving this error message and the time and date of the error.