Humboldt-Universität zu Berlin - Computer and Media Service

Shibboleth

A web-based single sign-on system for authentication and authorization.

Shibboleth service view

A Shibboleth Identity Provider (IdP) is operated at Humboldt University. This is registered in the federations 'HU-intern', 'DFN-AAI' and 'eduGAIN'.

For the authentication of HU internal services, the HU internal federation 'HU-intern' is implemented, in which the central Shibboleth IdP of the HU and HU services are located. In this context, HU internal services in the broadest sense are services that are to be used exclusively by members of the HU and whose user administration is to take place as automatically as possible via the use of the HU account.

The HU IdP is directly linked to the central IdM and thus has up-to-date account and personal data. Designed as a central authentication service, the IdP implements authentication with HU account and associated password as the first factor and a time-based PIN as the second factor.

I.e., no additional implementation on the part of the service is required to use the so-called two-factor authentication. Further information is available in the following specification:

Shibboleth user view

How does Shibboleth work?

Many web-based services at Humboldt University rely on authentication of their users and often on their authorization. Often, each service implements its own login functions, which means that you as a user may be confronted with several different ways to log in during the day.


A more manageable solution for you is the Shibboleth Single Sign On (SSO) system, which allows you to authenticate only once per session and within this session use all services connected to Shibboleth without further authentication. This function is enabled by technologies of your browser and the central authentication in the Shibboleth SSO system. A session is the time between opening your browser and closing the last open instance of your browser.


In addition to authentication, the Shibboleth system can provide so-called attributes (personal information provided by Humboldt University's central identity management) to the service for your authorization. For this purpose, the Shibboleth system determines in advance which service requires which attributes. These are transferred to the service with your explicit consent after successful authentication. Your actual authorization is handled by the service itself on the basis of the transmitted attributes.


For you as a user, the following scenarios arise for accessing web-based services:

First access within the current session

Open your browser and select the address of the desired service (See Figure 1: 1 Start Service). On the service provider's server, called Service Provider (SP), the Shibboleth SP module redirects through your browser to the central Shibboleth server, called Identity Provider (IdP) (Figure 1: 2 Redirection), because only it has information about you. The IdP presents you with the login page in your browser, where you enter your username and password (Figure 1: 3 Login? and 4 Login.).

With username and password the IdP looks into its collection of identity data (provided by the identity management of Humbold University), if you are included with the given account and password, if yes you are authenticated, if no you get the login page presented again in the browser. Have you perhaps mistyped your password? Only with a successful authentication you can leave the login page again.

If you are authenticated, the IdP creates a Shibboleth session for you and writes the identifier of this session (Figure 1: 5 Redirection with key) in a so-called browser cookie, which works like a notepad in the browser. For every other service that contacts the IdP, this cookie is used to locate the Shibboleth session and thus for authentication instead of the login request.

In addition to authentication, the IdP looks up what other personal information about you is needed by the current service. These are the so-called attributes. Again, the IdP looks into its collection of user data and reads out the personal information specifically for you, thus compiling the list of required attributes.

In order for you to have control over the information to be transferred at all times, you must consent to the transfer of the attributes. You can give this consent in general for the attribute lists of any service involved, or for the attribute list of a specific service individually. For this purpose, the IdP presents you with the list of attributes currently to be transferred, with the corresponding options for consent (in general or for the current service). You can withdraw your consent at any time by checking the box on the IdP login page.

Once you have consented to the transfer of the attributes, they are packed together with the information of successful authentication into an encrypted message that is transferred back to the Shibboleth SP via your browser. (Figure 1: 5 Redirection).

The Shibboleth-SP module unpacks the message and passes the attributes to the actual service. Then the Shibboleth-SP module transfers control to the actual service (Figure 1: 6 Service!). The service can now use the attributes to decide which specific functions you are allowed to use.

Abbildung Shibboleth Funktion aus Nutzersicht

Figure 1: Shibboleth login from the user's perspective

Any further access within the current session

If you select the address of another service in the same browser, the Shibboleth-SP module again forwards to the IdP via your browser. The IdP sees the cookie and recognizes the Shibboleth session and checks whether it is still valid. Shibboleth sessions of the IdP of Humboldt University are valid for 10 hours, i.e. for a whole working day. If the session is no longer valid, the procedure continues as described above for the first access. However, if there is a valid session - as in most cases - the required attributes for the current service are compiled immediately. Paths 3 and 4 in Figure 1 are omitted in this case.

All further processes are identical to the processes that take place during the first access, i.e. you must again agree to the transfer of the attributes, although in most cases the agreement has already been given and thus no further input is required. Afterwards the message with the attributes goes back over your browser to the Shibboleth-SP module which unpacks it and hands it over to the current service.

In this case all these processes happen in the background without any intervention from you. You are presented with the page of the service via the browser.

What are Shibboleth federations for?

By organizing several institutions (e.g. universities, colleges, publishers) into federations, it is possible to make web services accessible to members of other institutions and to use web services of other institutions yourself.

For you as a user, access to web services of foreign institutions within the federation only requires the selection of the home institution at the beginning of the authentication process. The home institution is the institution where you have your account (usually Humboldt-University Berlin).

For the first access within a running session, you will often first receive a question about your home institution from the SP module via your browser. After that, the redirection to this selected institution takes place via your browser (Figure 1: 2 Redirection).

The further steps are identical to the login process without federation (see above).

Sources

Internet2: http://shibboleth.internet2.edu/

DFN-AAI: https://www.aai.dfn.de/