The Shibboleth® System is a standards based, open source software package for web single sign-on that will be replacing Brown's existing WebAuth infrastructure in the fall of 2008. Shibboleth allows service providers within Brown's IT infrastructure (such as this Confluence Wiki) to validate a Brown user's identity, and to gain access to certain attributes about a person, such as display name, email address, or the groups that list the user as a member. Additionally, Shibboleth allows Brown service providers to allow external users into Brown services, based on a trust relationship between Brown and the external user's institutions through mutual membership in a federation. Likewise, Brown users may gain access to service providers at external institutions. Shibboleth provides the framework for these trust relationships, and grants a high degree of control over which service providers have access to which portions of a user's identity. Additional information about the Shibboleth project is available at http://shibboleth.internet2.edu
Some good starting points for learning more about Shibboleth would include:
- A 5 minute video, showing Shibboleth in use by a browser user.
- An Introduction to Shibboleth.
- An IT Management Info Center, targeted (not surprisingly) at IT Mgmt.
- An IT Deployers Info Center, targeted at the technical staff installing and supporting the software.
Administrators responsible for websites or applications at Brown can review the Attribute Release Policy link below to understand what attributes are available to their application, and which are available by request. To get started using Shibboleth in your website or application, please contact James Cramton
The Shibboleth project is a specific software solution to the problem of accurately identifying members of the Brown community and its external associates. Wikipedia describes the term as originating from the Hebrew word "shibboleth," which literally means the part of a plant containing grains, such as an ear of corn or a stalk of grain. It derives from an account in the Hebrew Bible, in which pronunciation of this word was used to distinguish members of a group (the Ephraimites), whose dialect lacked a /?/ sound (as in shoe), from members of a group (the Gileadites) whose dialect did include such a sound.
In the Book of Judges, chapter 12, after the inhabitants of Gilead inflicted a military defeat upon the tribe of Ephraim (around 1370--1070 BC), the surviving Ephraimites tried to cross the Jordan River back into their home territory and the Gileadites secured the river's fords to stop them. In order to identify and kill these disguised refugees, the Gileadites put each refugee to a simple test:
Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say Shibboleth.' If anyone said, 'Sibboleth', because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion.
- Judges 12:5-6, NJB
Fortunately, the modern use of the term Shibboleth is not nearly so draconian, but the point remains, that the Shibboleth software is used by service providers to authenticate members of the brown community, and to authorize users according to attributes released to service providers.
Page: Example Shibboleth Header Inspection files
Page: InCommon Participant Operational Practices (POP)
Page: Managing Brown's InCommon Federation Settings
Page: Shibboleth - Administering the Campus Federation
Page: Shibboleth and Application Logout Best Practices
Page: Shibboleth Attribute Release Policies and Best Practices
Page: Shibboleth Federated Access Error Page
Page: Shibboleth Help