Shibboleth is a software solution that provides Single Sign-On (SSO) service, allowing users to gain access to web resources both inside and outside SMU after logging in only one time. Shibboleth also allows website owners, such as Concur and LinkedIn Learning, to make authorization decisions about an individual’s level of access to their online resources. All of this is done securely and in a way that preserves the individual’s privacy.
Shibboleth began as an Internet2 project in 2000. In 2013, the Shibboleth Consortium was chartered to support continued development of the software, with Internet2 participating in the Consortium as a principal member.
Security and operational benefits:
- Single Sign-On. Once you've logged in to one of the supported servers, you will not need to log in again to use another until your session expires or you use a different browser.
- The server never handles passwords. If anything goes wrong, the credentials won't be compromised.
- Shibboleth has additional account misuse and fraud detection capabilities that will be bypassed by going direct.
- The Shibboleth logging infrastructure meets campus requirements.
- Shibobleth is future proof: you aren't binding yourself to a specific mechanism of authentication; instead you are binding to a piece of middleware that allows you to pick from the many authentication mechanisms.
- It is integrated with active directory.
Shibboleth Login Page
The Shibboleth login page shows up in your browser after you select "login" at one of the Shibboleth protected web services. The Shibboleth Login page is run by SMU and accepts your SMU ID and password to log you in or "authenticate" you. Once you successfully logged in, you are sent back to the service you were attempting to access, such as Canvas or LinkedIn Learning.
The Shibboleth login page ONLY works if you are sent to it by a web service or application. It requires information from the originating web service to know where to go after you log in. You should bookmark the site you are trying to access (smu.edu/LinkedIn for example) rather than the Shibboleth Login Page.
A sampling of the services with Shibboleth enabled:
- LinkedIn Learning (smu.edu/LinkedIn)
- Media Bank (mediaarchive.smu.edu)
- Mustang Health Services (studenthealth.smu.edu)
- Concur (travel.smu.edu)
- SMU Parking (smuparking.t2hosted.com)
- Canvas (smu.edu/canvas)
- my.SMU (my.smu.edu)
The Shibboleth software implements widely used federated identity standards, primarily Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. A user authenticates with his home organization credentials, and the identity provider passes the minimal identity information necessary to the service provider to enable an authorization decision.
The typical identity provider process is the following:
- Accept a SAML authentication request from the service provider a user wants to access.
- Authenticate the user against his home organization's authentication service.
- Collect user data from the organization's source data.
- Apply policy to control what data is released to which service provider.
- Securely transmit the collected information to the service provider.
The typical service provider process is the following:
- Intercept access to a protected resource or application entry point.
- Discover the user's choice of identity provider.
- Issue a SAML authentication request to the selected identity provider.
- Process the SAML authentication responses and extract rich user information.
- Apply local policies and gather additional data.
- Pass rich identity information to application resources.