Shibboleth Overview
Overview
The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
Shibboleth is an Internet2 project.
Additionally, MUSC is part of the InCommon Federation. This allows us to provide access to our resources with authenticating users of member organizations.
MUSC uses Shibboleth to allow for centralized authentication. Owners of a Shibbolized resource can gatekeep access to their project by using CGI variables returned from a successful authentication.
How does it work?
Your webserver runs a daemon (Shibboleth) that protects folders you specify in the Shibboleth configuration file shibboleth2.xml.
If someone tries to go to a folder protected by Shibboleth, the daemon intercepts the request and forwards the user to the Identity Provider (IdP), shibboleth.musc.edu.
The user then authenticates with their NetID and the session is passed back to the Service Provider along with a number of CGI variables.
The service provider uses these CGI variables to decide whether or not to provide access.
For example, the Library might allow access to a costly resource to only those users categorized as employees. They would restrict access to vendors or contract staff as the resource contract specifies as much.
How do I get started?
- You'll need to install the Shibboleth Daemon on your IIS or Apache server.
- If using Linux, you can automate this process by pointing to a repo with the Shibboleth installs.
- If using Windows, there are MSI available on the Shibboleth download page.
- Make sure your system is setup to use HTTPS. This means you will probably have to install a cert and setup your server to use HTTPS.
- Create your shibboleth2.xml file using this page.
- Download and replace these two files: attribute-policy.xml and attribute-map.xml
- Create a folder called "secure" off of your root resource. Download and place a test script in this directory.
- Having trouble?
- CHECK THE LOG FILES
- /var/log/shibboleth/shibd.log for RHEL
- c:\opt\shibboleth-sp\var\log\shibboleth\shibd.log for Windows
- Google the problem before asking for help.
- Testshib.org is also a great resource.
- CHECK THE LOG FILES
MUSC Resources
Shibboleth can run on both Apache HTTPD and IIS (6+).
We have provided a few resources to help facilitate your installations.
- MUSC Wiki - Instructions for the installation for Shibboleth.
- Microsoft IIS
- Apache HTTPD
- CGI Variable List
- Shibboleth returns only specific values after an authentication.
- Shibboleth returns only specific values after an authentication.
- Shibboleth XML Maker
- Use this form to create the shibboleth2.xml file for your installation.
- Use this form to create the shibboleth2.xml file for your installation.
- MUSC IDP Metadata
- List of all of the public metadata for the MUSC IdP. All SP's use a URL and filebacked metadata provider.
- This prevents the IdP group from having to touch every SP when certificate or service information needs to be updated.
- Shibboleth Testing Scripts
- ASP, ASPX, Perl, JSP, SSI and PHP.
- Attribute-map and Attribute-policy XML Files.
- These should replace the default install files.
Additional Resources
- Shibboleth Install Fest 2010
- Contains VMs and a great walkthrough for both SPs and IdPs.
- Technical deployers info center
- How to install both Service Providers and Identity Providers
- TestShib
- A testing service for Shibboleth2
- A testing service for Shibboleth2
- Google
- This helps A LOT and is faster than email.