Shibboleth IDP: What is it? And why you should consider a bundled platform like Gluu
Many people are interested in deploying a Shibboleth Identity Provider (IDP) to enable SAML single sign-on (SSO).
Shibboleth is a free, open-source web single sign-on system that supports rich attribute-exchange based on open standards, most notably SAML. Shibboleth has widespread adoption in higher education and government due to its free open source license, as well as built-in privacy provisions that meet the legal obligations of accredited schools and security conscious organizations.
As a federated system, Shibboleth supports secure access to resources across security domains. Information about a user, otherwise known as attributes, are sent from an identity provider (IDP) to a service provider (SP), which prepares the information for protection of sensitive content and use by applications.
A typical example might be: a person attempts to access a protected resource, gets redirected to a central identity provider for authentication, and upon successful authentication ends up back at the protected resource with an active session.
Without going into excessive detail, this is how the resource-access process typically happens between the user and the IDP and SP:
- 1. User Attempts to access a protected resource (SP);
- 2. SP recognizes the user does not have an active session and sends the user to an IDP for authentication;
- 3. User authenticates at the IDP;
- 4. IDP issues a response to the SP;
- 5. User is sent back to the SP;
- 6. Access is granted to the protected resource.
Why use the Gluu Server for your Shibboleth IDP:
Deploying, configuring, and operating a Shibboleth IDP involves technical know-how that can be time consuming to obtain and expensive to retain–identity and access management engineers are in large demand right now!
So let’s go through a few of the advantages of using the Gluu Server, which bundles the Shibboleth IDP to support SAML SSO:
If you deploy a single instance of Shibboleth you will need to build the product from the source code. This is not a simple undertaking. The Gluu Server makes deployment fast and easy by offering open source Linux packages for CentOS, Ubuntu, RHEL, and Debian.
No Hand Editing XML!
Operating Shibboleth on its own involves hand editing XML files to configure single sign-on. This is a time consuming and error-prone process. The Gluu Server offers a handy graphical user interface (GUI) for configuring and managing Shibboleth SAML single sign-on.
Support for more modern IAM protocols
Another important consideration is that SAML has in many ways has plateaued. The last major release of SAML was in 2006, before the smart phone revolution. If you want to get the most out of your investment, you want to future-proof your solution by supporting newer OAuth 2.0 based technologies. The Gluu Server not only supports SAML, but also other important standards that enable you to deliver a comprehensive, modern, and secure identity service, including: OpenID Connect, SCIM, FIDO, and UMA.
Many organizations need to know that they can get immediate support in the event of a production outage or critical security vulnerability. Although the Shibboleth mailing lists are very active, the Shibboleth Foundation does not offer commercial support. Gluu offers free and commercial support options for organizations that need a direct line of access to our trained identity and access management engineers.
Completeness of Solution
There is more to delivering a comprehensive identity service than SAML single sign-on. For instance, how is user data retrieved from backend systems like Active Directory? How are people authenticated? How are sessions handled across apps that support different protocols? How does replication and clustering happen? These considerations and others were addressed in the Gluu Server.
Shibboleth is undoubtedly an important piece of the puzzle, but the Gluu Server is a complete platform for identity and access management.