In keeping with its commitment to the use of open-source technologies, the Texas Digital Library employs Shibboleth federated authentication software for authentication and identity management. The Shibboleth System is a standards based, open-source platform that allows TDL to authenticate users by leveraging its member institutions’ authentication and identity management systems.
With Shibboleth, faculty and staff at participating TDL member institutions can log on to most TDL services using the ID and password they use at their home institutions. The home institutions (or identity providers) give TDL enough information about each faculty member to enable authorization. In this way, faculty members at TDL institutions do not have to create unique IDs and passwords for TDL services, and TDL can leverage the existing authentication infrastructures of its member institutions.
How does Shibboleth work?
TDL provides multiple services, including repository services, scholarly publishing services, and preservation services. Each of these “service providers” interacts with users from academic institutions both within and outside the State of Texas. Participating academic institutions, acting as “identity providers” are able to supply the identity of their students, faculty, and staff so that they are able to access the services offered by TDL.
The TDL Shibboleth architecture is structured to include several service providers (SP), several identity providers (IDP), and a single “where are you from” (WAYF) service. Each of these components work together using the Shibboleth authentication system to provide a secure distributed authentication mechanism across the State of Texas. This process is described below and in the figure to the right:
First the user will request access to a resource provided by one of TDL’s services. If authenticated access is required, the user will be automatically redirected to the “where are you from” service. At the WAYF the user will be presented with a list of participating institutions.
Once at the WAYF, the user selects his or her home institution, and will be directed to an authentication website hosted by that institution. The user will enter his or her username and password using his or her local identity.
A user may select TDL at the WAYF to provide non-validated identities to those who require access to TDL resources but are not from a participating institution. (For example, a non-TDL user might require access as a reviewer for a TDL journal.) In this case, the TDL identity provider is able to act as the home institution.
Finally, after successfully authenticating with his or her home institution, the user is returned to the service provider. The user has now been authenticated using Shibboleth and is able to use the resource provided by TDL.
LEARN Shibboleth Federation
In October 2009 TDL announced a partnership with the Lonestar Education and Research Network (LEARN) to collaborate on networking projects in service to Texas researchers and academics. One key part of the collaboration has been the development of a statewide Shibboleth Federation managed by LEARN.
The Shibboleth Federation sets the policies and manages the relationships among TDL service providers and its members’ identity providers. In the LEARN Federation, LEARN mediates the relationships between TDL services on one side and member identity providers on the other, essentially “vouching” that the information provided by identity providers is trustworthy.
In its early years, the Texas Digital Library managed its own Shibboleth Federation. Since 2009, however, TDL has worked with LEARN to transfer all its members from the legacy TDL Shibboleth Federation to the LEARN Federation.
TDL Attribute Release Policy
The TDL specifies a set of attribute definitions to support basic attribute-based authorization. These attributes will be used to support the services provided within the TDL consortium.
Two levels of attributes exist: required and recommended. Identity providers must be able to supply all attributes marked as required to any service provider that requests the attribute. Identity providers need not be able to supply all recommended attributes, but when they do the meaning of that attribute must match the definition provided.
Shibboleth Users E-mail List
Because of the distributed nature of Shibboleth, changes to any part can affect how the entire system works. As a result, it is important that any time an identity provider manager at a member institution, or the service provider manager at TDL, make a change to their Shibboleth instances, they communicate these changes to the Federation. This includes changes to the attributes released by the identity provider or upgrades to a new version of Shibboleth.
To prevent problems, TDL encourages its members to communicate any changes they might make to Shibboleth to the LEARN Federation. To facilitate this communication, the TDL has set up a mailing list for identity provider managers to post questions, announce changes, and discuss other Shibboleth-related issues. The list will be monitored by personnel at LEARN, as well as staff at the TDL.
Anyone interested in joining the TDL Shibboleth Users List can e-mail TDL at email@example.com.
Supporting documentation about the TDL Shibboleth Federation includes the pages listed below and the resources available in the Shibboleth section of the TDL Publications and Presentations page.