In keeping with its commitment to the use of open-source technologies, the Texas Digital Library employs Shibboleth federated authentication software for authentication and identity management. The Shibboleth System is a standards based, open-source platform that allows TDL to authenticate users by leveraging its member institutions’ authentication and identity management systems.
With Shibboleth, faculty and staff at participating TDL member institutions can log on to most TDL services using the ID and password they use at their home institutions. The home institutions (or identity providers) give TDL enough information about each faculty member to enable authorization. In this way, faculty members at TDL institutions do not have to create unique IDs and passwords for TDL services, and TDL can leverage the existing authentication infrastructures of its member institutions.
How does Shibboleth work?
TDL provides multiple services, including repository services, scholarly publishing services, and preservation services. Each of these “service providers” interacts with users from academic institutions both within and outside the State of Texas. Participating academic institutions, acting as “identity providers” are able to supply the identity of their students, faculty, and staff so that they are able to access the services offered by TDL.
The TDL Shibboleth architecture is structured to include several service providers (SP), several identity providers (IDP), and a single “where are you from” (WAYF) service. Each of these components work together using the Shibboleth authentication system to provide a secure distributed authentication mechanism across the State of Texas. This process is described below and in the figure to the right:
First the user will request access to a resource provided by one of TDL’s services. If authenticated access is required, the user will be automatically redirected to the “where are you from” service. At the WAYF the user will be presented with a list of participating institutions.
Once at the WAYF, the user selects his or her home institution, and will be directed to an authentication website hosted by that institution. The user will enter his or her username and password using his or her local identity.
A user may select TDL at the WAYF to provide non-validated identities to those who require access to TDL resources but are not from a participating institution. (For example, a non-TDL user might require access as a reviewer for a TDL journal.) In this case, the TDL identity provider is able to act as the home institution.
Finally, after successfully authenticating with his or her home institution, the user is returned to the service provider. The user has now been authenticated using Shibboleth and is able to use the resource provided by TDL.
Supporting documentation about the TDL Shibboleth Federation includes the pages listed below and the resources available in the Shibboleth section of the TDL Publications and Presentations page.