Our 7 Shibboleth Top Tips: What can Shibboleth do for you?

Introduction

If you work in access management or the broader IT field, you are likely to have heard of Shibboleth. But what exactly is Shibboleth, and what can Shibboleth do for you? In this guide, we will answer these questions, and describe seven of our Shibboleth top tips and how they may be useful to you.

Team setting up interlinking orange and grey cogs

Useful Terminology

To fully understand Shibboleth, it helps to understand certain terms. Here we have listed some of the key terminology that is used to describe Shibboleth’s features and uses.

Open-source: Open-source software is software that is free to anybody to download, use, and even modify (depending on the specific licence), as opposed to paid software where the license has limitations in these areas. Shibboleth is an example of open-source software, as is Firefox, OpenOffice, and Linux.
IdP: An Identity Provider (or IdP) is a platform that enables authentication of users via a login screen. Some IdPs come with features such as MFA (Multi-Factor Authentication) and visual Dashboards.
SP: A Service Provider (or SP) is any service or application that a user wants to access. An SP could be a file, an application, a website, or a database.
Entity ID: An Entity ID is a unique ID assigned to a Shibboleth IdP and verified (via certificates and metadata) by any SPs that recognise that Entity ID, in order to successfully authenticate users under that IdP. An Entity ID usually comes in the form of a URL, but can also be a numerical code. SPs store IdP metadata XML files that contain the Entity IDs of IdPs. This metadata file also includes a certificate and endpoint URLs, which are used to securely validate and perform the authentication.
IAM: IAM is an abbreviation of Identity and Access Management, which is a catch-all term that refers to the broader concept of managing user identities and which are able to access different services, and the processes and platforms used to carry this out.
SAML: Short for Security Assertion Markup Language, SAML is an open standard used for Identity and Access Management, authentication, and federated services (groups of applications and services that share IAM processes).
SSO: The term “SSO” is an abbreviation of “single sign-on”. SSO is a method of authentication which only requires users to enter login credentials once in order to access multiple applications or other services, rather than a separate login for each. IAM solutions such as Overt Software’s OvertIdP enable SSO for users across multiple applications.
Single Log-Out: The usefulness of single sign-on would be severely limited if users had to then log out of every service or application used at the end of the day—not to mention the potential security implications of users remaining logged in to protected services. Thankfully, Shibboleth enables single log-out as well as single sign-on.
Authentication: Authentication refers to the process of verification of identity, for either a user or a specific device.

What is Shibboleth?

Shibboleth is a piece of open-source software that is used for various purposes, including being a key part of an Identity and Access Management (IAM) strategy. Shibboleth is based on the SAML standard, and enables authentication and access to multiple SPs via an IdP.

Shibboleth is used by a huge number of organisations and institutions all over the world, from businesses and local councils to universities and colleges. It is particularly useful for identifying and authenticating members of organisations that need to protect their resources (for example, databases that contain sensitive information or personal details of customers) and only grant access to chosen individuals.

A particular benefit of Shibboleth is its anonymity—information can be released based on organisation and still be authenticated without the need for the sharing of personal details.

Partnership puzzle vector person business illustration teamwork concept. Piece team cooperation connect jigsaw solution together. Success collaboration strategy work challenge. Office brainstorming

Shibboleth Top Tips

1.Use a Load Balanced IdP:

Load balancing is a technique that essentially creates a fully and identically functioning duplicate of your IdP that runs concurrently. This is extremely useful in the case of an IdP crashing, as the duplicate IdP will continue to function as usual, resulting in no downtime for you or your users. Load balancing can also be used to help during upgrades as one IdP can be updated without causing downtime.

2.Use MFA Plugins:

MFA—or Multi-Factor Authentication—is a system of authentication that requires the provision of multiple login credentials. For example, One-Time Passwords (or OTPs) sent to users via email or text message after username and password combinations have been accepted are a common example of MFA. Take a look at our MFA Plugin demo to see an example of MFA in action!

3.Install the OvertIdP Dashboard:

Overt Software’s OvertIdP is a Shibboleth-based IAM solution that comes with an integrated Dashboard. The Dashboard enables intuitive visualisation of accurate IAM reports, and easy granular access management across your entire organisation. This granular access is highly useful for administrators who want to assign, revoke, or limit (temporarily or indefinitely) access privileges to certain users or groups of users. The OvertIdP also features easy Roll-Backs, meaning that Shibboleth setups can be restored to previous versions if problems are encountered.

4. Set up Context Check Intercepts:

IdP administrators can make authorisation decisions regarding access to specific SPs using something called “Context Check Intercepts”, often simply referred to as “Checks”. Checks briefly interrupt the process of the IdP releasing user attributes to SPs, and grant or deny a user access to an SP based on chosen rules. Administrators can easily establish their own Checks with their own rules using platforms with granular access features, such as the OvertIdP. For more information on how you can create and manage Checks using the OvertIdP, check out our archived webinar.

5.Set Certificate Reminders:

SSL (Secure Sockets Layer) certificates are essential for keeping data secure between servers. However, they do expire, which can cause a real headache for organisations that require frequent sharing of sensitive data. OvertIdP enables administrators to set reminders for when SSL certificates are about to expire.

6.Customise Your Login Page(s):

Some Shibboleth solutions, including the OvertIdP, enable administrators to customise the aesthetics and functions of their login screens. This can be particularly useful if you want your login screen to match the visual branding of your organisation or institution.

7. Use the MDQ Protocol to Manage Metadata:

HTTP metadata files stored on an HTTP server can be requested for viewing using Shibboleth’s File Backed HTTP Metadata Provider. If administrators want to reduce metadata memory loads and increase speed of processes, the MDQ protocol can be used to configure an entity to download and verify only specific metadata rather than the entire metadata aggregate.

Getting the most out of your Shibboleth

Shibboleth may be free to download and use, but this means that there may be some work to do yourself if you really want to get the most out of your Shibboleth implementation.

The first thing to remember is to keep your Shibboleth updated. Keeping software updated not only enables you to make use of the latest features, but it also reduces the chances of you running into bugs or security issues—hackers often target out-of-date software, especially immediately after patches and updates are released.

Another thing to remember is that Shibboleth works best in a federated environment. Joining a federation (a framework of shared resources, such as SPs, that share access requirements) can enable easy access to many different resources.

If keeping up with the technical ins and outs of Shibboleth seems tricky and time-consuming, you could use an external company, such as Overt Software Solutions, to maintain and manage your Shibboleth and take the stress off your IT Team

multiple grey and orange question marks with confused people underneath

Frequently Asked Questions

Is Shibboleth free to download and install?

Shibboleth is 100% free to download and install.

Is Shibboleth difficult to use?

How difficult Shibboleth is to download, install, maintain, and use day-to-day is entirely dependent on your level of technical knowledge. Using Shibboleth is usually more complex than using popular paid software, which offers easy tutorials for every step. Thankfully, there are companies such as Overt Software Solutions that specialise in carrying out Shibboleth installations and maintenance.

Is Shibboleth secure?

Shibboleth implementations vary among different organisations and platforms. The security of Shiboleth is dependent on how well it is implemented, how frequently updates are installed, and how it is used. When Shibboleth is installed and maintained by experts, it is highly secure.

Can a Shibboleth IdP be customised?

A Shibboleth IdP can be customised, but doing so requires a level of technical knowledge. Companies such as Overt Software Solutions provide fully-supported Shibboleth installations that can be easily customised with the help of their technicians.

Does Shibboleth come with a visual Dashboard?

The standard Shibboleth software does not come with a visual Dashboard interface, but some customised versions of Shibboleth, such as the OvertIdP, do include this feature.

Does Shibboleth come with customer support?

As Shibboleth is free open-source software, tech support is limited to advice. However, implementations like the OvertIdP do include full customer support, where expert technicians can help set up your Shibboleth implementation, apply updates, and fix potential issues directly.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
tve_leads_unique	1 month	This cookie is set by the provider Thrive Themes. This cookie is used to know which optin form the visitor has filled out when subscribing a newsletter.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
c3po.jpg	Session	This pixel tracker, set by metricool.com, collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heatmaps for the website owner.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook as part of their embedded services on our websites (likes, sharing etc.).
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
ClientId	1 year	No description available.
li_gc	2 years	No description
OIDC	6 months	No description available.
OutlookSession	session	No description available.
tl_1206_1206_4	1 month	No description
tl_544_544_1	1 month	No description