Information Technology Reference
In-Depth Information
Shibboleth's Federated Identity Model
In many ways, Shibboleth's industry street-cred is better than CAS's, which,
as we have mentioned, is unfairly viewed as a product for academic
institutions. Three disparate federated identity schemes (Liberty ID-FF,
Shibboleth and the earlier SAML 1.1) fed into the recent SAML2
specification. Many of the spec writers were Shibboleth developers, and this
must have played no small part in ensuring the close match between the
SAML2 standard and the Shibboleth implementation. Open Source has thus
managed to gain the inside track on federated identity. Any commercial
product that claims compatibility with the SAML2 spec is by definition
interoperable with Shibboleth. The implication is that interoperability with
business partners is not a concern that should stand in the way of your
implementing
Shibboleth
for
your
federated
identity
management
capability.
Here is how Shibboleth works. Keep in mind our earlier description of a
ticketing server-based SSO solution as well as the CAS model, and you will
see the main differences.
Fig 17: Shibboleth model
1.
The browser attempts to access the business application protected by
an interceptor. This combination is referred to as the Service Provider
(SP).
