Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Shibboleth (software)
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Shibboleth 1.3=== In the canonical use case: # A user first accesses a resource hosted by a web server (the service provider) that has Shibboleth content protection enabled. # The SP crafts a proprietary authentication request that is passed through the browser using URL query parameters to supply the requester's SAML entityID, the assertion consumption location, and optionally the end page to return the user to. # The user is redirected to either their home IdP or a WAYF (Where Are You From) service, where they select their home IdP for further redirection. # The user authenticates to an access control mechanism external to Shibboleth. # Shibboleth generates a SAML 1.1 authentication assertion with a temporary "handle" contained within it. This handle allows the IdP to recognize a request about a particular browser user as corresponding to the principal that authenticated earlier. # The user is POSTed to the assertion consumer service of the SP. The SP consumes the assertion and issues an AttributeQuery to the IdP's attribute service for attributes about that user, which may or may not include the user's identity. # The IdP sends an attribute assertion containing trusted information about the user to the SP. # The SP either makes an access control decision based on the attributes or supplies information to applications to make decisions themselves. Shibboleth supports a number of variations on this base case, including portal-style flows whereby the IdP mints an unsolicited assertion to be delivered in the initial access to the SP, and lazy session initiation, which allows an application to trigger content protection through a method of its choice as required. Shibboleth 1.3 and earlier do not provide a built-in [[authentication]] mechanism, but any Web-based authentication mechanism can be used to supply user data for Shibboleth to use. Common systems for this purpose include [[Central Authentication Service|CAS]] or [[Pubcookie]]. The authentication and single-sign-on features of the Java container in which the IdP runs (Tomcat, for example) can also be used.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)