Shibboleth Version 2.0
Internet2 Community Releases Shibboleth Version 2.0
New Major Release of Open Source Federated Authentication Suite Provides Enhanced Functionality, Enables More Seamless Installation and Operation
Arlington, VA, USA. April 21, 2008.
Internet2 today announced that it has released Shibboleth 2.0, the latest major version of the most widely-deployed federated authentication implementation. Developed by the Internet2 community and its partners around the world, the latest release greatly enhances several key elements of Shibboleth in an effort to ensure interoperability with other commercial and open-source federated identity solutions; to improve personalization and security; as well as to ease installation, management and operation processes.
The goal is to provide a more robust and interoperable platform that will help catalyze the worldwide growth of higher education and research federations like the InCommon Federation which serves the U.S. higher education sector and provides a framework for participating organizations to collaborate and share resources using Shibboleth technology.
"Shibboleth aims to help our community meet the increasing demand for access to protected online applications and resources as well as to support the growing need for campus-based researchers to use online collaboration tools to support work with peers at other institutions. Shibboleth 2.0 provides an improved platform for exchanging information in a secure and privacy-preserving manner while at the same time reducing the administrative burdens for institutions and their service provider partners," said Ken Klingenstein, Internet2 senior director of middleware and security. "We are grateful for the tremendous collaboration in developing this important new release and look forward to working with the worldwide Shibboleth community to further roll out and refine this technology."
Shibboleth 2.0 adds an open source implementation of the OASIS SAML 2.0 standard to the suite of protocol implementations available in previous releases. The software provides a secure, single-sign on mechanism for institutions to enable their users to access protected online resources within their campuses and from their external service provider partners while at the same time protecting individual user privacy.
Shibboleth leverages an institution's login and directory systems to authenticate users at their home institution (or "identity provider") and then passes only the relevant information, or "attributes," to the service provider to enable the user access to its online resources. Attributes can include a wide range of information that characterize the user, e.g. identity, permissions at the service provider, employee or student status at the university, class enrollment, age, graduating class, etc. The service provider and institution make agreements on which attributes are needed to make that user eligible to access specific resources.
Shibboleth 2.0 enhances the ability for identity providers to use and manage "anonymous identifiers" to protect user privacy but still allow for personalization. The identity provider assigns a persistent unique identifier to a specific user which allows service providers to tailor and improve services based on the needs of that user without knowing their specific identity. For instance, a medical student searching for articles on a specific disease or treatment via an online medical journal could save his or her searches using the anonymous identifier and then build on their research over time. For the user, this is a transparent process; no knowledge of the identifier is needed.
"Library users are frustrated with having to remember multiple passwords in order to get their research done. The ability to use Shibboleth to access personalized resources with a single user name and password greatly simplifies the user's experience. Shibboleth's unique anonymous identifier gives the user control over what additional identifiable information (if any) they choose to provide to a vendor, and assures the user's privacy across services," said Holly Eggleston, Assistant Department Head, UC San Diego Library Acquisitions.
Shibboleth 2.0 also adds new security features to ensure additional protection of user information. It includes encryption technology specified in the SAML 2.0 standard and provides an improved method for usage logging at the home institution to better track abuse or inappropriate use of the system.
From an operational perspective, the new version of Shibboleth makes it easier for IT staff both at the identity provider institution and service provider to install, operate and manage the software. For instance, to participate in a federation, institutions typically are required to implement a directory schema which provides a consistent set of user attributes among the federating organizations. Shibboleth 2.0 allows institutions to utilize their legacy directory schema by translating the data into the federation-specific attributes as needed in real time. In doing so, Shibboleth 2.0 greatly decreases the resources needed to implement the solution.
Penn State University, an early adopter of Shibboleth technology and a participant in InCommon, has had much experience in the implementation and operation of the technology and sees many benefits to the new version.
"Shibboleth has provided us the unprecedented ability to deliver both improved security and privacy for our users while at the same time greatly enhancing collaboration opportunities," said Kevin Morooney, CIO, Penn State University. "Shibboleth 2.0 removes several implementation barriers from an administration and management standpoint providing a more seamless path for institutions large or small to migrate to a federated environment. Because of this, we believe we will see even more rapid adoption of federations like InCommon."
As organizations continue to deploy identity management solutions like Shibboleth, the vision is to move these institutions and their service providers into "trust federations." Federations bring together multiple organizations with common needs into one group or association to leverage the use of a common set of attributes, practices and policies to exchange information about their users and resources to simplify the management of collaborations and transactions.
The InCommon Federation which serves the U.S. higher education sector now has close to two million users at close to 80 institutions as well as service providers and continues to rapidly expand. In addition, there are a growing number of state level Federations that include state and municipal governments and the K-12 sector.
To support the continued growth of federations, Shibboleth 2.0 enables organizations to seamlessly comply with a federation's policies and practices without changing campus directory infrastructures, and extends automated support for federation processes. For instance, as new service providers or institutions are added to a federation, new "metadata" is required to setup the technical exchange for collaboration. In the past, adding new metadata required IT staff to develop their own methods to update the information. Shibboleth 2.0 automatically downloads the metadata as often as the organization specifies.
In addition, as federations continue to proliferate, it becomes increasingly important to support multiple protocols to ensure interoperability between federations. Using Shibboleth, federations and partners that utilize any authentication architecture built on popular standards such as SAML 2.0 and Active Directory Federation Services specifications will have the ability to interoperate and interfederate with any federation or partner utilizing those standards.
Beyond the multi-protocol support, Shibboleth offers additional features for the higher education and research communities: management of attribute release policies on a site, group and user basis; policy-based management of attribute acceptance; real scalable support for large-scale federations; and strong support for application integration.
Klingenstein added, "Shibboleth 2.0 will play a critical role in helping to realize the vision of creating interconnected trust communities for seamless and secure access to information and services. Over the last year, Shibboleth has moved from being an open source project to a community source project; increasingly, the community is supporting itself and participating in the software development process."
Internet2 and its partners announced the release of Shibboleth 2.0 at the annual Internet2 Spring Member Meeting held in Arlington, VA from April 21-23, 2008. Meeting sessions on middleware technology like Shibboleth and InCommon, include: http://www.internet2.edu/middleware/2008SMM-MW.html.
For more information on Shibboleth, visit: http://Shibboleth.internet2.edu. For more information on InCommon, visit: http://www.incommonfederation.org/.
About Internet2
Internet2 is the foremost U.S. advanced networking consortium. Led by the research and education community since 1996, Internet2 promotes the missions of its members by providing both leading-edge network capabilities and unique partnership opportunities that together facilitate the development, deployment and use of revolutionary Internet technologies. Internet2 brings the U.S. research and academic community together with technology leaders from industry, government and the international community to undertake collaborative efforts that have a fundamental impact on tomorrow's Internet. For more information, see http://www.internet2.edu.
Shibboleth Version 2.0 Release Details
Version 2.0 is a major new release that significantly improves interoperability, functionality, and manageability. It also provides more options for deployment while simplifying the installation process. A list of major new features can can be found below.
Shibboleth 2.0 now becomes the "current stable release". Shibboleth v1.3.x moves from "current stable release" to "previous stable release". On May 19, 2008, which is 60 days after the release of Shibboleth 2.0, Shibboleth v1.2.x moves from "previous stable release" to unsupported.
Documentation
Documentation is available on our wiki. As a major new release, the Identity Provider features a revised configuration structure with a new installation process. There is no direct migration of older installations. The Service Provider includes significant new functionality but the primary configuration files are similar to those used with the previous release.
Downloads
Binary packages are available for Windows, Solaris 8 and 10, Mac OS X, and Red Hat Enterprise Linux 4 and 5. The IdP implementation is entirely in Java, so there is one package for all platforms. It has been tested with Sun Java 1.5 and 1.6, and the Apache and JBoss servlet containers.
Source, binaries, and some dependencies are available from the downloads directory
Older releases and dependencies can be found in the archive directory for each component.
Technical Support
Shibboleth is an open source project, and we do not guarantee support. Commercial support of Shibboleth is available from several vendors.
However, if you encounter problems, you can join the shibboleth-users mailing list, and post a description of your problem. Members of the global Shibboleth community support each other using that email list.
If you discover a bug, please post it to our Jira-based issue repository. Bugs can be posted against Shibboleth IdP 2 - Java, Shibboleth SP - C++, and Shibboleth Discovery Service - Java.
Lastly, a big thank you to the many people who helped us test this version, and improve the quality of the overall package, the install process, and the documentation.
Federation Support
We expect that over the coming months the federations where Shibboleth is used will announce support for this new release and SAML 2 endpoints in their federation metadata. Please check with your federation for detailed information on their plans.
Major Features in Shibboleth 2.0
Interoperability
- Improved interoperability with commercial and open source federation solutions.
- Support for SAML 2.0 and SAML 1.1. Fully backward compatible with Shibboleth 1.3. Some interoperability testing has been done between a Shibboleth v1.2 IdP and a 2.0 SP. That minimal testing has been successful; however, 1.2 is no longer supported, and no guarantees are offered.
- New default behavior eliminates callbacks and extra firewall/SSL configuration for SAML 2.0 deployments. Note that few Service Providers are currently ready to support this mode.
Manageability
- Improved support for managing metadata, including real-time download and caching, and generation of provider metadata from configuration.
- Flexible new attribute release and acceptance policy engines with shared syntax.
- Integration with most major identity stores, including Microsoft Active Directory, Kerberos, LDAP-compliant directory services, and JDBC-compliant databases.
- Improved backend support in the IdP for persistent opaque identifiers to facilitate privacy-preserving access to services.
- The IdP can reload almost all configuration files within a running system.
- The IdP now maintains separate Access and Audit logs.
Functionality
- Encryption of user data between providers, even without callbacks.
- Optional authentication support available in the IdP via JAAS.
- Extensive clustering support for both the IdP and the SP.
- A new Discovery Service implementation compliant with the OASIS SAML Discovery Service protocol, supporting multi-protocol federation deployments. SPs who are members of multiple federations are strongly encouraged to investigate this new component.
- FastCGI support within the SP.
- Stable and documented APIs for extending a variety of IdP and SP functionality.
More options for deployment
- Support for a Tomcat-only deploy of the IdP. This is now the easiest and most straightforward way to learn about the Shibboleth software. Sites should evaluate the suitability of this configuration for production use.
- The IdP component will run in the Apache and JBoss servlet containers, on most OS platforms.
- Much simplified installation process for testing and evaluating both the IdP and SP components.
- SP Packages will be provided for all major platforms, including widely used Linux distributions, Solaris, Windows, and Mac.
Shibboleth and SAML
The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
The Shibboleth software implements widely used federated identity standards, principally OASIS' Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application. Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License.
Relationship between Shibboleth and SAML: There are several bedrock relationships. Shortly after the Shibboleth project was conceived in spring of 2000, the OASIS working group for SAML was formed with founders that included the Shibboleth core developers. The Shibboleth work was then structured so that the basic requirements in Shibboleth for XML and protocols that were shared by the OASIS activity was done there as part of the SAML spec. (Three of the seven authors of the SAML 1.0 spec were principals in Shibboleth.) That synergy is even more pronounced in the SAML 2.0 standard, where the technical editor of that specification is Scott Cantor of Ohio State, who is also the lead Shibboleth architect. SAML 2.0 represents the convergence of the OASIS specs, much of the Shibboleth system, and the Liberty Alliance ID-FF specifications.
The Shibboleth and SAML design processes have been coupled to insure that Shibboleth is standards-based. Because of this design, on a software level, a major part of the Shibboleth system is the OpenSAML libraries, which are also widely used. OpenSAML is at the core; Shibboleth software adds a set of components to augment that capability into a federating system that meets the needs of the R&E community. Both the OpenSAML libraries and the Shibboleth software are developed by the Shibboleth team and released as open source...
References
- About Shibboleth
- Shibboleth 2 Wiki
- Shibboleth 2 Specifications and Architecture
- Shibboleth Documentation
Prepared by Robin Cover for The XML Cover Pages archive. See also: "Security Assertion Markup Language (SAML)."