Shibboleth Federated Authentication

Shibboleth logoIn keeping with its commitment to the use of open-source technologies, the Texas Digital Library employs Shibboleth federated authentication software for authentication and identity management. The Shibboleth System is a standards based, open-source platform that allows TDL to authenticate users by leveraging its member institutions’ authentication and identity management systems.

With Shibboleth, faculty and staff at participating TDL member institutions can log on to most TDL services using the ID and password they use at their home institutions. The home institutions (or identity providers) give TDL enough information about each faculty member to enable authorization. In this way, faculty members at TDL institutions do not have to create unique IDs and passwords for TDL services, and TDL can leverage the existing authentication infrastructures of its member institutions.

How Shibboleth Works | LEARN Shibboleth Federation | Attribute Release Policy | Shibboleth E-mail List | More Information

How does Shibboleth work?

TDL provides multiple services, including repository services, scholarly publishing services, and preservation services. Each of these “service providers” interacts with users from academic institutions both within and outside the State of Texas. Participating academic institutions, acting as “identity providers” are able to supply the identity of their students, faculty, and staff so that they are able to access the services offered by TDL.

Shibboleth Federation Architecture

The TDL Shibboleth architecture is structured to include several service providers (SP), several identity providers (IDP), and a single “where are you from” (WAYF) service. Each of these components work together using the Shibboleth authentication system to provide a secure distributed authentication mechanism across the State of Texas. This process is described below and in the figure to the right:

1. REQUEST

First the user will request access to a resource provided by one of TDL’s services. If authenticated access is required, the user will be automatically redirected to the “where are you from” service. At the WAYF the user will be presented with a list of participating institutions.

2. SOURCE

Once at the WAYF, the user selects his or her home institution, and will be directed to an authentication website hosted by that institution. The user will enter his or her username and password using his or her local identity.

A user may select TDL at the WAYF to provide non-validated identities to those who require access to TDL resources but are not from a participating institution. (For example, a non-TDL user might require access as a reviewer for a TDL journal.)  In this case, the TDL identity provider is able to act as the home institution.

3. DELIVERY

Finally, after successfully authenticating with his or her home institution, the user is returned to the service provider. The user has now been authenticated using Shibboleth and is able to use the resource provided by TDL.

Back to top

LEARN Shibboleth Federation

In October 2009 TDL announced a partnership with the Lonestar Education and Research Network (LEARN) to collaborate on networking projects in service to Texas researchers and academics. One key part of the collaboration has been the development of a statewide Shibboleth Federation managed by LEARN.

The Shibboleth Federation sets the policies and manages the relationships among TDL service providers and its members’ identity providers. In the LEARN Federation, LEARN mediates the relationships between TDL services on one side and member identity providers on the other, essentially “vouching” that the information provided by identity providers is trustworthy.

In its early years, the Texas Digital Library managed its own Shibboleth Federation. Since 2009, however, TDL has worked with LEARN to transfer all its members from the legacy TDL Shibboleth Federation to the LEARN Federation.

Back to top

TDL Attribute Release Policy

The TDL specifies a set of attribute definitions to support basic attribute-based authorization. These attributes will be used to support the services provided within the TDL consortium.

Two levels of attributes exist: required and recommended. Identity providers must be able to supply all attributes marked as required to any service provider that requests the attribute. Identity providers need not be able to supply all recommended attributes, but when they do the meaning of that attribute must match the definition provided.

- Shibboleth Attribute Release Requirements

Back to top

More information

Supporting documentation about the TDL Shibboleth Federation includes the pages listed below and the resources available in the Shibboleth section of the TDL Publications and Presentations page.

- Shibboleth in the TDL Wiki
Shibboleth website

Back to top