Shibboleth: A User Perspective

Wednesday, March 10, 2010
PDF icon Shibboleth_A_User_Perspective.pdf228.68 KB


  • We have meeting topics scheduled through the end of the year with the exception of June.
    • April: Fonts/Copyrights, Video Tags, HTML 5
  • Tracey Hummel wanted to let everybody know that there are no new W4 accounts available – the server is at capacity.

Presentation: Shibboleth: A User Perspective (see attached)
Presenter: Mike Hagedon, University Libraries

  1. I am not an expert at this. I'd simply like to give a brief talk and quick tutorial to convince more people to use Shibboleth.
  2. What is Shibboleth?
    1. A single sign-on solution that provides authentication (who are you?) and authorization (are you allowed to do this?)
    2. The difference between Shibboleth and WebAuth is that WebAuth provides authentication only.
      1. The name comes from a story in the Old Testament:
  3. Basic architecture of Shibboleth:
    1. There's an identity provider at UITS
    2. Our servers have to be running the service
  4. Setting Up Shibboleth:
    1. First, the Shibboleth Service Provider daemon/service must be running on whatever system you want to use it. If you don't already have Shibboleth installed, that may be the hardest part of the process. If you have a supported OS, it shouldn't be too painful:
      1. RPM-based Linux distributions
      2. Recent Ubuntu releases have v2 in the repositories
      3. Windows
      4. If your OS is not supported, compiling can be difficult, but doable.
      5. Fortunately, I hear w4 has Shibboleth installed already.
  5. However you get the service provider running (even if you're on w4) you still need to register your app. This can include development/testing boxes, so don't be intimidated. I haven't had a request denied yet. Be aware that it may take a couple days for the approval to go through. And, you need to have completed FERPA training.
  6. Two ways that I’ve used it:
    1. Via .htaccess (this is Apache specific)
    2. Using lazy/passive sessions
  7. Demo:
    1. .htaccess method (Apache-specific)
      1. You type three lines in the .htaccess file, which is saved in the folder that you want protected:
        1. AuthType Shibboleth
        2. ShibRequireSession on
        3. Require valid-user (you can change this to a particular person such as Shib-uid mhagedon)
      2. For another example (limiting only to current CLAS930 students), change the Require line to this:
        1. Require Shib-isMemberOf ~ 2010spring:CLAS930 (this is an example of grouper)
      3. The phpinfo() function will display Shibboleth data, for those of you who use PHP.
    2. Lazy / passive sessions
      1. Put these three lines in .htaccess (or httpd.conf):
        1. AuthType Shibboleth
        2. ShibRequireSession off
        3. Require Shibboleth
      2. Then try out a PHP script:
        if (isset($_SERVER['Shib-uaId'])) {
        echo "Logged in<br />";
        echo $_SERVER['Shib-uaId'] . "<br />";
        echo "<a href="/Shibboleth.sso/Logout">Log out of application</a><br />";
        echo "<a href="/Shibboleth.sso/Logout?return=">Log out of application and WebAuth</a><br />";
        } else {
        echo "<a href="/Shibboleth.sso/Login?return=">Login</a><br />";
      3. Shibboleth data comes from EDS (information can be found here: Here are the EDS attributes:
      4. I would recommend applying for access to EDS, which you can also access through LDAP.
  8. Here are some problems that I (or others in the Libraries) have encountered. None of these are really Shibboleth / EDS problems; some are related to the underlying data store, especially as a result of the Mosaic transition.
    1. Administrative faculty are not faculty - shib-primary-affiliation
    2. Librarians are not faculty
    3. Bug in Phusion Passenger (Rails-specific)
    4. No addresses in Shibboleth
    5. Dept number changed
    6. UAID changed
  9. I recommend testing, testing, testing the data!