Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Some initial thoughts on Shibboleth, especially as compared with using WebAuth on application web servers:

  • The Shibboleth SP (Service Provider) software is relatively difficult to set up and configure; configuration involves editing XML files, and there are apparently no existing tools to make this easier.  Support is via the Shibboleth wiki and users mailing list; figuring things out from the former can be problematic, but, on the positive side, the latter is highly responsive.
  • The SP itself has many prerequisite packages: cURL, log4cpp, xerces-c, xml-security-c, opensaml (Linux RPMs available from the Shibboleth download page).
  • The SP Apache module is written in C++, which might present compatibility issues with other modules (e.g. libphp4); details are in the Shibboleth wiki.
  • There is apparently no support for credential delegation; some sort of support for this is planned for 2.0, though it is not clear exactly how this might work.
  • The 1.3 IdP does not handle user authentication itself (WebAuth could be used for this); 2.0 will offer some support for this.
  • The integration with LDAP is relatively deep, as you can configure which attributes to release to which providers.
  • It does not require Kerberos, using certificates for server authentication.
  • The SP offers a "lazy session" feature, i.e. where an application can trigger the establishment of a Shibboleth session and optionally receive attributes at a point when it deems this necessary.  (This could be useful to permit, say, anonymous access to some resource up to the point where the application would require authentication, etc.).