Some initial thoughts on Shibboleth, especially as compared with using WebAuth on application web servers:
- The Shibboleth SP (Service Provider) software is relatively difficult to set up and configure; configuration involves editing XML files, and there are apparently no existing tools to make this easier. Support is via the Shibboleth wiki and users mailing list; figuring things out from the former can be problematic, but, on the positive side, the latter is highly responsive.
- The SP itself has many prerequisite packages: cURL, log4cpp, xerces-c, xml-security-c, opensaml (Linux RPMs available from the Shibboleth download page).
- The SP Apache module is written in C++, which might present compatibility issues with other modules (e.g. libphp4); details are in the Shibboleth wiki.
- There is apparently no support for credential delegation; some sort of support for this is planned for 2.0, though it is not clear exactly how this might work.
- The 1.3 IdP does not handle user authentication itself (WebAuth could be used for this); 2.0 will offer some support for this.
- The integration with LDAP is relatively deep, as you can configure which attributes to release to which providers.
- It does not require Kerberos, using certificates for server authentication.
- The SP offers a "lazy session" feature, i.e. where an application can trigger the establishment of a Shibboleth session and optionally receive attributes at a point when it deems this necessary. (This could be useful to permit, say, anonymous access to some resource up to the point where the application would require authentication, etc.).