If you work in access management or the broader IT field, you are likely to have heard of Shibboleth. But what exactly is Shibboleth, and what can Shibboleth do for you? In this guide, we will answer these questions, and describe seven of our Shibboleth top tips and how they may be useful to you.
To fully understand Shibboleth, it helps to understand certain terms. Here we have listed some of the key terminology that is used to describe Shibboleth’s features and uses.
- Open-source: Open-source software is software that is free to anybody to download, use, and even modify (depending on the specific licence), as opposed to paid software where the license has limitations in these areas. Shibboleth is an example of open-source software, as is Firefox, OpenOffice, and Linux.
- IdP: An Identity Provider (or IdP) is a platform that enables authentication of users via a login screen. Some IdPs come with features such as MFA (Multi-Factor Authentication) and visual Dashboards.
- SP: A Service Provider (or SP) is any service or application that a user wants to access. An SP could be a file, an application, a website, or a database.
- Entity ID: An Entity ID is a unique ID assigned to a Shibboleth IdP and verified (via certificates and metadata) by any SPs that recognise that Entity ID, in order to successfully authenticate users under that IdP. An Entity ID usually comes in the form of a URL, but can also be a numerical code. SPs store IdP metadata XML files that contain the Entity IDs of IdPs. This metadata file also includes a certificate and endpoint URLs, which are used to securely validate and perform the authentication.
- IAM: IAM is an abbreviation of Identity and Access Management, which is a catch-all term that refers to the broader concept of managing user identities and which are able to access different services, and the processes and platforms used to carry this out.
- SAML: Short for Security Assertion Markup Language, SAML is an open standard used for Identity and Access Management, authentication, and federated services (groups of applications and services that share IAM processes).
- SSO: The term “SSO” is an abbreviation of “single sign-on”. SSO is a method of authentication which only requires users to enter login credentials once in order to access multiple applications or other services, rather than a separate login for each. IAM solutions such as Overt Software’s OvertIdP enable SSO for users across multiple applications.
- Single Log-Out: The usefulness of single sign-on would be severely limited if users had to then log out of every service or application used at the end of the day—not to mention the potential security implications of users remaining logged in to protected services. Thankfully, Shibboleth enables single log-out as well as single sign-on.
- Authentication: Authentication refers to the process of verification of identity, for either a user or a specific device.
What is Shibboleth?
Shibboleth is used by a huge number of organisations and institutions all over the world, from businesses and local councils to universities and colleges. It is particularly useful for identifying and authenticating members of organisations that need to protect their resources (for example, databases that contain sensitive information or personal details of customers) and only grant access to chosen individuals.
A particular benefit of Shibboleth is its anonymity—information can be released based on organisation and still be authenticated without the need for the sharing of personal details.
Shibboleth Top Tips
1.Use a Load Balanced IdP:
Load balancing is a technique that essentially creates a fully and identically functioning duplicate of your IdP that runs concurrently. This is extremely useful in the case of an IdP crashing, as the duplicate IdP will continue to function as usual, resulting in no downtime for you or your users. Load balancing can also be used to help during upgrades as one IdP can be updated without causing downtime.
2.Use MFA Plugins:
MFA—or Multi-Factor Authentication—is a system of authentication that requires the provision of multiple login credentials. For example, One-Time Passwords (or OTPs) sent to users via email or text message after username and password combinations have been accepted are a common example of MFA. Take a look at our MFA Plugin demo to see an example of MFA in action!
3.Install the OvertIdP Dashboard:
Overt Software’s OvertIdP is a Shibboleth-based IAM solution that comes with an integrated Dashboard. The Dashboard enables intuitive visualisation of accurate IAM reports, and easy granular access management across your entire organisation. This granular access is highly useful for administrators who want to assign, revoke, or limit (temporarily or indefinitely) access privileges to certain users or groups of users. The OvertIdP also features easy Roll-Backs, meaning that Shibboleth setups can be restored to previous versions if problems are encountered.
4. Set up Context Check Intercepts:
IdP administrators can make authorisation decisions regarding access to specific SPs using something called “Context Check Intercepts”, often simply referred to as “Checks”. Checks briefly interrupt the process of the IdP releasing user attributes to SPs, and grant or deny a user access to an SP based on chosen rules. Administrators can easily establish their own Checks with their own rules using platforms with granular access features, such as the OvertIdP. For more information on how you can create and manage Checks using the OvertIdP, check out our archived webinar.
5.Set Certificate Reminders:
SSL (Secure Sockets Layer) certificates are essential for keeping data secure between servers. However, they do expire, which can cause a real headache for organisations that require frequent sharing of sensitive data. OvertIdP enables administrators to set reminders for when SSL certificates are about to expire.
6.Customise Your Login Page(s):
Some Shibboleth solutions, including the OvertIdP, enable administrators to customise the aesthetics and functions of their login screens. This can be particularly useful if you want your login screen to match the visual branding of your organisation or institution.
7. Use the MDQ Protocol to Manage Metadata:
HTTP metadata files stored on an HTTP server can be requested for viewing using Shibboleth’s File Backed HTTP Metadata Provider. If administrators want to reduce metadata memory loads and increase speed of processes, the MDQ protocol can be used to configure an entity to download and verify only specific metadata rather than the entire metadata aggregate.
Getting the most out of your Shibboleth
The first thing to remember is to keep your Shibboleth updated. Keeping software updated not only enables you to make use of the latest features, but it also reduces the chances of you running into bugs or security issues—hackers often target out-of-date software, especially immediately after patches and updates are released.
Another thing to remember is that Shibboleth works best in a federated environment. Joining a federation (a framework of shared resources, such as SPs, that share access requirements) can enable easy access to many different resources.
If keeping up with the technical ins and outs of Shibboleth seems tricky and time-consuming, you could use an external company, such as Overt Software Solutions, to maintain and manage your Shibboleth and take the stress off your IT Team
Frequently Asked Questions
Is Shibboleth free to download and install?
Shibboleth is 100% free to download and install.
Is Shibboleth difficult to use?
How difficult Shibboleth is to download, install, maintain, and use day-to-day is entirely dependent on your level of technical knowledge. Using Shibboleth is usually more complex than using popular paid software, which offers easy tutorials for every step. Thankfully, there are companies such as Overt Software Solutions that specialise in carrying out Shibboleth installations and maintenance.
Is Shibboleth secure?
Shibboleth implementations vary among different organisations and platforms. The security of Shiboleth is dependent on how well it is implemented, how frequently updates are installed, and how it is used. When Shibboleth is installed and maintained by experts, it is highly secure.
Can a Shibboleth IdP be customised?
A Shibboleth IdP can be customised, but doing so requires a level of technical knowledge. Companies such as Overt Software Solutions provide fully-supported Shibboleth installations that can be easily customised with the help of their technicians.
Does Shibboleth come with a visual Dashboard?
The standard Shibboleth software does not come with a visual Dashboard interface, but some customised versions of Shibboleth, such as the OvertIdP, do include this feature.
Does Shibboleth come with customer support?
As Shibboleth is free open-source software, tech support is limited to advice. However, implementations like the OvertIdP do include full customer support, where expert technicians can help set up your Shibboleth implementation, apply updates, and fix potential issues directly.