The Shibboleth Consortium, a collaborative group of international research and education organisations, has released version 3 of the Shibboleth identity provider, its free open source software that enables secure web single sign-on. Institutions are able to use the software to enable learners and researchers to safely access library resources, databases and collaboration tools using only one log-in, doing away with the need to set up new accounts as they move between locations.
Developed following extensive consultation with the community, the new release offers significant functional and security enhancements, including user consent and on-demand metadata lookup. It also supports the Central Authentication Service (CAS), the internationally-recognised single sign-on protocol used by many universities and research organisations.
Shibboleth is among the world's most widely deployed federated identity solutions, providing single sign-on capabilities and individual access to protected online resources, in a privacy-preserving manner.
The Shibboleth Consortium funds the ongoing development, support and maintenance of the software, keeping every component of the Shibboleth system free to use. The two principal members are Internet2 in the US and Jisc in the UK. Jisc also acts as consortium operator, managing the day-to-day running of the group.
According to Josh Howlett, head of trust and identity at Jisc, the latest release has been developed for the community, by the community, listening to their feedback to ensure the software truly meets their needs, both now and in the future.
The new features and functionality include user notification, including the ability to present an individual with a list of the attributes the service is requesting that allows them to confirm that they wish to proceed. Permissions can be granted directly through the browser, so there is no need to set up and manage a database. Such mechanisms can also help organisations to meet regulations, for example, requirements for user notification under EU law. Support for CAS protocol enables organisations to use just one identity provider software package for transactions with both on-campus CAS, and on- and off-campus Security Assertion Markup Language (SAML) protected services. Ability to support multiple algorithms for signing and encryption simultaneously allows organisations to increase the security of their transactions without compromising compatibility with older systems. Built-in next generation federation features such as the emerging Metadata Query Protocol, which is replacing the need to compile ever-larger metadata aggregates through on-demand metadata lookup. Additional features include support for internationalising user interface and error messages.
Originally released in 2003, the growth of cloud services has led to an increase in the deployment of Shibboleth worldwide as a core component of campus identity and access management.
Shibboleth version 3 will come to replace previous versions. The consortium urges deployers to plan their upgrade now to take advantage of the security and functional improvements and ensure they are fully compliant before the discontinuation of support for Version 2.4, expected later this year.
