The notion of this project is derived from our practical use of user authentication system namely Shibboleth at the University of Bedfordshire. It has been found that the University of Bedfordshire controls its various services including student portal Breo, Learning Resources and Student Email Access and others through the Shibboleth. Like the University of Bedfordshire the other Universities in the UK are also implementing the Shibboleth system in their access management control. Therefore, the researchers of this project have found it important to evaluate its efficiency and effectiveness of Shibboleth from different perspectives. In the first part of this paper it tries to explain the features of Shibboleth as SSO services and compares it with other SSO services like Athens, Kerberos, etc. Then in the middle section, the authors go through the steps of installation and configuration of the Shibboleth. In the end of the paper, based on the survey of real users of Shibboleth at the University of Bedfordshire, the authors give its insights on the effectiveness of the Shibboleth as SSO service. Throughout this investigation, the authors have applied a triangulation to find out user and service provider viewpoint about Shibboleth. Although there were some problems persisted, the authors also implemented the Shibboleth system successfully to figure out different problems, efficiency and effectiveness. The recommendations and conclusion have been provided at the end of this project.
In the age of information technology (IT), the tendency of higher education is moving towards Virtual Learning Environment (VLE) whilst information security (IS) over the internet has remained one of the pivotal issues for Higher Educational (HE) Institutions. There is a Federated Access Management system called Shibboleth that has placed Athens aiming to provide safe and secure network to the educational institutions in the UK (cen- sus.ac.uk). To give the general access to the repository, it is rather easy for this task [
The aim of this research is to evaluate efficiency and effectiveness of Shibboleth comparing to other Single Sign-on System. The scope of this paper is to compare the features of Shibboleth with other services offered by SSO, go through the installation process, experience any hiccups during the installation and configuration steps. The research is based on Shibboleth at the University of Bedfordshire.
The main objectives of the research are as follows:
・ Review available literature on Shibboleth and other Single Sign-on Systems including definitions, types, and comparison.
・ Investigate the security under Shibboleth system from the administrative and user perspectives.
・ Overview installation process of Shibboleth within a demo web interface with a view to figure out interaction between client and server.
・ Experience any problems during installation and configuration of Shibboleth and find the solution.
・ Summarize project and research findings, and provide recommendations to mitigate/minimize any limita- tions.
There are three different methods applied to carry out this research which are as follows:
Firstly, for secondary data collection we will depend on different literatures on the subject. We will be look- ing into the structure of the Shibboleth systems and finding out its features relative to other similar services like Athens, Kerberos, Microsoft passport etc.
Secondly, for the primary research we will take a key informant interview who is a responsible person of Shibboleth at the UoB within the combination of qualitative and quantitative research methods (Triangulations).
Thirdly, to analyze the efficiency and effectiveness of Shibboleth we will oversee the installation process and configure Shibboleth 2.2 in a physical network.
Mixture of Qualitative and Quantitative ApproachTriangulation or combination of qualitative and quantitative methods has found an ideal application to achieve aims and objectives of the research. The logic behind adopting combination of qualitative and quantitative re- search methods is because the research would give opportunity to cross-check the results to figure out the effi- ciency and effectiveness of the Shibboleth at the University of Bedfordshire. Furthermore, it is also believed
that triangulation would give an accurate result to the researcher [
Considering the nature of the project, the researchers determine to apply quantitative approach in this project. In definition, quantitative methods rely on the data collection through the survey methods to comprehend the people’s perceptions aiming to understand the events and behaviors. In this research, the quantitative research methods will look for the answers that are set in the objective two which is about investigating the security un- der Shibboleth system from the administrative and user perspectives.
By following the requirements of JISC (Joint Information Systems Committee) University of Bedfordshire in- troduced Shibboleth for an authentication to people who have access into the web resources and database like breo, sits e-vision are available at the University. The University of Bedfordshire employed Shibboleth to au- thenticate staffs and students when they access into the breo, sits e-vision, digital library, Email (
As it can be seen in the above
Shibboleth Architecture [ShipProbt] has been defined by Scabo and Cantor (2005) as the SAML 1.1 SSO exten- sion with attributing exchange mechanisms. It specifies the SSO profile of service-provider-first with the ex- tended user privacy features. Along with these, there are some fixed Shibboleth building standards given by the authors. Architectural standards of Shibboleth are here:
・ Hypertext Transfer Protocol (HTTP).
・ Extensible Markup Language (XML).
・ XML Schema.
・ SML Signature.
・ SOAP.
・ Security Assertion Markup Language (SAML) [
・ The architectural shape of Shibboleth with its attributes exchange communication is figured here:
In the above
In a website or network, the function of the Single Sign-On is like the function of bridge to connect various software and programs. With a single signing on system, the user gets the access to different services. They do not need to get authorized differently to get the access again and again. We can cite here an example of top e-mail providers. After getting the access of the account with authorization, the user gets the access of different services like the web browsing, financial services, image service etc.
1) Single sign-on
The Single Sign-On service authentication system is processed with a Virtual Organization in Shibboleth [
The problem of lots of sign-on is that it really affects the performance of web; people have started to treat this as a great drawback. The SSO circle trusted members took the benefits of SAML authentication assertions [
2) Federated system
The capabilities of Identity-management service is expanded with the expansion of each organization have federated system. We can see there are different kinds and forms of relations of one organization to another. An example of any University can be cited. It needs access to various levels such as the students, stuffs, libraries, faculty etc.
The educated person can help the Shibboleth to make the whole management process easy to conduct. The auxiliary object class―“EduPerson” is designed with a purpose to access the information communication among the higher education institution campus directories. It is also treated as the bridge between the network website software and programs.
3) Protect data and user’s privacy
Shibboleth ensures the best data security and privacy protection to the users with the software based on SAML. Here, the authentication data forward in enough in case of university. The personal information also controls and protects by the use of Shibboleth.
4) International uptake of system
It is possible to configure the Identity Provider Server named login.jsp for the branding of the site of univer- sity. It ensures both on-campus and off-campus control of access to the university. The institution and user rela- tion also can be building up and defined through here. With the attribute service, the group-based and role- based authorization is also supported by this.
5) Play Well with Others
We already talked about the issue of Interoperability as one of the prime feature of Shibboleth. The federated world requires the Interoperability feature as a must, mentioned from Shibboleth (2010). It is now possible to interoperate with various commercial implementations with the support of multi-protocol service of Shibboleth. Above multi-protocols are Microsoft’s Active Directory, Card Space, OASIS and Federation service.
We will find some disadvantages or drawbacks with the Shibboleth. The main problems are global log out, technology infancy, complexity and assumptions. Some explanations to these issues are given here:
1) No global log-out
The main problem regarding the Shibboleth is probably with the issue of global log out. To illustrate this, we can say that the problem is Shibboleth isn’t able to log out from all the service at a time.
2) Infancy of technology
As we know the modern system and architecture of the internet is upgrading at a very rapid speed. The Shib- boleth software cannot cope with this rapid technological advancement. There is an estimation which says that there are about 5 Shibboleth protected resources in contrast to 260 Athens protected resources.
3) Complexity
In case of Proxy Servers, the Shibboleth implementation is quite complex than that of normal server. It re- quires local machine based special environment for the process. And as we know, the special environment crea- tion is also a complex task. Generally, only expert XML Programmers know this language.
4) Assumptions
The high reliability on assumptions is also being treated as a problem to some authors. For an example, the web browser is enabled with the JavaScript. These assumptions is creating problem such as the minimum as- sumptions will not be supported for the administration requirements. Following problems related to the adminis- trative issues in the institution are some of the big problems indeed [
5) Security risk
The risk of security is being considered as one of the biggest drawbacks of Shibboleth system. Actually the Single Sign-On interface creates the problem related to security as it is attached to both the manager and client’s side. The poor password system can be vulnerable for the clients. And using this weak access system, various threats like the malicious software’s, deviant, programs and bad-bots can be the cause of unwanted access to the secured resources. Both clients and managers would face problems in this way. According to CVE, one such vulnerability in Shibboleth is OpenSAML (2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2) [
The Single Sign-On system is now being considered as the “Holy Grail” of computer security [
1) Kerberos
In the field of financial organizations and Automated Teller Machine (ATM) security purpose, the Single Sign-On system, Kerberos is used in some cases. Windows 2000 based enterprises got the security like the bank- ing level by the Kerberos. The migration of Active Directory by the administrator has made the task of configu- ration and implementation very complex than that of other Single Sign-On system [
2) Microsoft passport
Another banking sector based SSO system is the Microsoft Passport. It’s also called as the digital wallet. Vendors, Content Providers, Consumers and the Service Providers have showed less attraction to Microsoft Passport due to its limitations.
3) Athens account
Athens is a federated system. Online services security access management is the purpose to design it. In UK, the de facto standard system has been ruled out during late nineties and two thousand from health sectors and education sectors. There was an statistics by stating that there were two million users using Athens to access to 769 user sites, 51 service provider sites and 249 resources [
To implement Shibboleth 2.0 we will set up a virtual environment and oversee the interactions between Shibbo- leth Identity Provider (IdP) and Service Provider (SP) which are as follows:
Setting up virtual network.
We will be installing the identity provider (IdP) and the Service provider (SP) as depicted above in
To evaluate the efficiency and effectiveness of Shibboleth we had to overview Shibboleth configuration and installation process in a Windows XP. Throughout the configuration and implementation process. We found that implementing Shibboleth is not only a difficult job but also implementer needs to have enormous technical knowledge. To bring success into this project in case of difficulties, we have sought the help from a professional who has helped us to configure Shibboleth and implement that at the end of this project. However, the aim of this chapter is to provide the information about how the researchers of this project carried out the configuration, implementation and analyzed the difficulties that the researcher faced during configuration and installation pro- cess and possible solutions are sought in both technical and professional manners.
Status | Live commercial service | Emerging architecture | ||
---|---|---|---|---|
Purchase options | Technology or managed | Reference available | Software | |
Service | ||||
Published open standard | No | Yes | ||
Access | Management | Yes | No | |
System | ||||
Authentication system | Yes | Out of scope | ||
Authorization system | Yes | Yes |
For installing Shibboleth IdP and SP, we had to make an environment with the following hardware and software requirements.
Hardware requirements
・ Intel Pentium IV (minimum requirement is Intel Pentium III).
・ 512 MB Random Access Memory (RAM).
・ 500 Mega Bite Spare Storage.
・ 20 Mega Bite Ethernet Card.
・ Software requirements.
・ Java 1.5.
・ Apache Tomcat 5.5.
To implement Shibboleth 2.0, the authors set up an environment considering the following:
・ Set up you Virtual Machine.
・ Install Java.
・ Install the Apache HTTPD Server.
・ Install Tomcat.
・ Install the Shibboleth identity Provider software.
We, finally, managed to install and conjure Shibboleth SP and IdP. We also connected Apache with Tomcat though Shibboleth log in page error for this. (url:http://lc.sb.com/idp/j_security_check) still remaining.
But when we checked Shibboleth SP in shibboleth-sp\var\log\shibboleth\native.log, it generated following error message.
2011-08-29 00:15:47 ERROR Shibboleth. Listener [
2011-08-29 00:15:47 ERROR Shibboleth. AssertionLookup [
There are also few problems:
1) When we wanted to check http://localhost/Shibboleth.sso/GetAssertion, this url shows this message: Assertion Lookup Failed.
2) May be Apache SSL did not work properly. We found it when we checked following url https://lc.sb.com/Shibboleth.sso/Status in lieu of http://lc.sb.com/Shibboleth.sso/Status and it shows “Unable to connect”.
Solutions to the above problems.
We found that there were error files in our native.log are probably due to you accessing GetAssertion (see below).
SSL needs to work. Does SSL work when you visit https://lc.sb.com/?
Hel also commented on our two points in the earlier problems:
1) Firstly, exportAssertion must be turned on when you protect your path, and secondly, you cannot just visit that URL without parameters―see https://wiki.shibboleth.net/confluence/display/SHIB2 Native SP Content Settings.
You should probably ignore GetAssertion until you have got things working.
2) Try https://localhost/Shibboleth.sso/Status.
Although there was a successful installation the problem arose from linking Shibboleth SP and Shibboleth IdP. To solve the problems, we had to seek technical support from Technical notes provided by Mr. Mark Gamble Notes. We tried to configure with it but we could not understand all the technical notes and commands that he mentioned in the Technical Notes.
But when we tried to configure with it, it had generated an error when we tried to start Apache 2.2. (But when we tried to start Apache 2.2 while trying to configure with it, it had generated an error). Error message was as follows:
There was a file remained in the location―D:/opt/shibboleth-sp/lib/shibboleth/mod_shib_13 which made us confused why the error arose when we tried to start Apache 2.2.
Solutions to the above problems.
Following the above problems, Professional had provided the solution and e-mailed us that mod_shib_13.so is a link to the Apache v1.3 module.
In your httpd.conf, you should Include the configuration for the appropriate module for your web server, which in your case is D:/opt/shibboleth-sp/etc/shibboleth/apache22.config, not D:/opt/shibboleth-sp/etc/shib- boleth/apache.config.
This note outlines a basic installation and configuration of a Shibboleth 2 Service Provider on CentOS 5. It is assumed that a new installation of Apache 2.2 has been installed, with SSL.
These are quick-notes for Centos5. For any other operating system [
It is preferable that the website is only accessible via HTTPS. To achieve this, put the following into /etc/ httpd/conf/httpd.conf:
#FORCE HTTPS
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [R,L]
Install Shibboleth
Add the shibboleth yum repository: cd /etc/yum.repos.d/
Wget http://download.opensuse.org/repositories/security://shibboleth/CentOS_5/security:shibbo leth.repo
Install:
yum install shibboleth or, for 64-bit:
yum install shibboleth.x86_64
Shibboleth configuration files will be placed at /etc/shibboleth/ and the Apache configuration in
/etc/httpd/conf.d/shib.conf. The Shibboleth daemon, shibd, will be installed to /usr/sbin and may/can be managed by using /sbin/service and /sbin/chkconfig. An appropriate version of mod_shib and other pluggable modules will be installed to /usr/lib/shibboleth/. Logs will be located in /var/log/httpd/native.log and /var/log/ shibboleth/.
To ensure that the native.log log file can be written to/ by the apache user, change the ownership of
/var/log/httpd/: chown apache /var/log/httpd or, for security reasons, one could touch the file itself, and just chown that, or you could touch the file somewhere else and chown it.
Tell shibd to start at system stRestart your website: service
shibd start
service httpd restart
Quick Test
Verify that you get a StatusHandler XML element back. Metadata
In order for users to successfully authenticate to your SP, the SP must have the metadata of the IdP which actually authenticates them, and the IdP must have your SP metadata.
The metadata for your SP is available by visiting /Shibboleth.sso/Metadata. For example: curl -k https://localhost/Shibboleth.sso/Metadata or use http if you are not using handlerSSL=•htrue•h. Wrap the metadata in these: and put it is in a file on the IdP (nice to put it in /opt/shibboleth-idp/metadata/sp-metadata.xml).
On the IdP, put the following in /opt/shibboleth/conf/relying-party.xml (find the
MetadataProvider example, and put it by there):
Get your IdP Metadata (the default one is in /opt/shibboleth-idp/metadata/idp-metadata.xml. but you need to modify it. the entityID and scope may be wrong), wrap it in the same way above, and put it in a file on the SP (nice to put it in /etc/shibboleth/partner-metadata.xml). On the SP, add the IdP metadata to your Shibboleth configuration by uncommenting the following line in shibboleth2.xml [
Seeing What You Get
To see what attributes are being released to you, write a script that dumps the environment/headers etc, and put it into a protected path, and then visit it. For example
Now visit /secure on your SP, and see what you get. Consider resolving attributes and filtering them on your IdP. Review your SP /etc/shibboleth/attribute* configuration, but you will not normally need to modify them.
The questions were asked to acquire more information about the student access point to the ddigital library from which it is secured by single sign-on system such as Shibboleth.
Question: About StudentThis question is represented for seeking information about respondent though small amount (45) of students were taken as sample from different department but still it bought significant result for our research.
Graph: 1
The aim of this question is to find out the main point of access into the Breo by the student of The University of Bedfordshire. The survey result revealed that the main access point to the Breo is from the Park Square IT Suit. The above
In summary it can be said that most of the undergraduate students accessed in to the Breo compared to other two groups of students such as postgraduate business and computing students.
Graph: 2
Survey question like how flexible do the student find in terms of access in the Breo under Shibboleth. The survey result revealed that there were almost all types of students found good in flexibility in access to the Breo under Shibboleth system.
The above
Graph: 3
The question like digital library access under shibboleth were asked to know if the students found any difficulties under shibboleth authentication.
The
Interviewer: What are the reasons for introducing Shibboleth at the University of Bedfordshire?
Interviewee: There are a number of reasons to introduce Shibboleth at the University of Bedfordshire and these are Federated Reason. It has become an obligation to the HE and FE institutions aiming to provide fast and quality education.
Under SSO, students can access various supports and services in one log in system which is not possible in multiple sign-on system.
Interviewer: What are the resources covered by Shibboleth?
Interviewee: Shibboleth, as a form of Single Sign-On system usually authenticates the resources like digital library, breo, printer, and calendar.
Interviewer: How are the costs related to the Shibboleth?
Interviewee: There is no cost associated with the Shibboleth whilst the system is completely free.
Interviewer: What is the security concern associated with the Shibboleth?
Interviewee: Shibboleth is fully a web based authentication system which has two layers security systems such as IdP (Identity Provider) and SP (Service Provider). Due to its nature, the Shibboleth is a fully secure authentication system.
Interviewer: What are the different authentication systems available in SSO and why Shibboleth is better than others?
Interviewee: The Shibboleth-Single Sign-On system is built for students, not to retype passwords. Shibboleth is a secured system (single sign system) authorized by the UK federation. There was a de facto system called Athens used by the UK universities. The Athens system was built to access to journals and library materials. Within Athens, account students needed to have their username and password to access the system.
The effectiveness of Shibboleth is much better than the other SSO-Athens in the field of higher education. Although Service Provider and Identity Provider are two different services, it still provides the same authentication to them. (The beauties lay behind effectiveness of Shibboleth as it provides two different services: Identity Provider and Service Provider.) Moreover, like the University of Bedfordshire, different enterprises or institutions could ensure their highest security by introducing CAS besides Shibboleth.
From the overall perspectives, it has been found that any organization ranges from small to large, can afford the Shibboleth system. It has been also revealed from this research that compared with the Shibboleth system, Athens is very much expensive to maintain and manage. However, there is a problem in executing shibboleth system which is not only vital but also a complex one. Through different analysis from secondary research, primary research, key informant interview and implementation process, it has been found that installation and configuration of Shibboleth held in-depth technical knowledge about the Shibboleth systems along with practical experiences to implement that correctly and efficiently. Most of the difficulties are derived from starting webapp, building relationship between apache and tomcat, installing Shibboleth SP provider and IdP and making relationship with them and starting up LDAP server.
The limitation could be minimized if any individual or organization follows the above guidelines on the basis of knowledge, skills and experiences gathered from this project.
The Shibboleth could be implemented in the financial sector along with other business organizations if the organizations could develop some support and services to implement Shibboleth as an authentication system. Like CAS besides Shibboleth at the University of Bedfordshire, the Banking sector can use Smartcard besides Shibboleth to authenticate their users. By implementing Smartcard authentication systems, the financial organization could reinforce security for their organization as well as provide the best possible services to the customers. For this to achieve LDAP authentication Extension supports SSL authentication [