Account Services on the Web

Shibboleth Glossary

Understanding the following terms will aid in understanding how Shibboleth works and is configured.

High-Level Concepts

Shibboleth is a conversation between two kinds of web server about a user. This conversation uses a language called SAML ("Security Assertion Markup Language").

Identity Provider

The Identity Provider (sometimes abbreviated IdP) is the web server that people authenticate (login) to. It provides this identity information to various Service Providers.

Service Provider

The Service Provider (sometimes abbreviated SP) is the web server which provides some service to the end user. It uses the identity information from the Identity Provider to make sure the user is authenticated. Additionally it can use the Identity Assertions contained in the identity information to make authorization decisions.

Additional Concepts

Attributes

A set of facts about the user who was authenticated. Often they originate from the LDAP directory of the user's organization. Attributes released from the Iowa State Identity Provider to Iowa State Service Providers.

Federation

A Federation is when multiple organizations agree on a common set of policies, practices and protocols to manage the identity and trust across those organizations.

In an identity management arena like Shibboleth, it means a Service Provider can grant access to users from other organizations in the federation without managing their identity (i.e., their username, password and other attributes).

Identity Assertions

The Identity Assertions are a set of Attributes about the user who authenticated (for example, "this user is a student at Iowa State").

Metadata

The configuration information for an Identity Provider or a Service Provider.

Virtual Hosting

When a Web Server hosts multiple separate websites.

Registration Concepts

These are the pieces of information asked for on the ASW registration page.

E-mail Contact

The E-mail Contact is an ISU (Net-ID or MailListName) which, (along with the Department info), goes in the Shibboleth "metadata" about your Service Provider.

It provides a way for other Shibboleth administrators to get ahold of the right people to resolve any issues which might arise.

EntityID

The EntityID is the persistent identifier (name) by which the Shibboleth Identity Provider (what people Login to) knows your Service Provider.

The name must be globally unique and should never be changed. Choose carefully and deliberately.

It is a common misconception that the EntityID must match the service endpoint (the URL people use to reach the service). The EntityID should reflect the service itself, which may or may not line up with the particular server it is running on (especially in a virtual hosting environment).

At Iowa State we have adopted the InCommon convention for EntityIDs. All EntityIDs will be of the form:
   https://subdomain.iastate.edu/NAME/sp
where you choose NAME to identify the service provided

Service Endpoint

The Service Endpoint is the base URL used to reach your service.

If this service runs in a virtual hosting environment it will very likely match the name used on the Apache <VirtualHost> configuration file directive.

If the service is the only one running on a web server it will very likely match the hostname of the Web Server.

The standard HTTPS port (443) is assumed, but you may indicate that your service runs on an alternate port.

Non-iastate.edu Service Endpoints are supported, but they must be running on an iastate.edu Web Server. If your service runs on a non-iastate.edu Web Server you will need to formally request federation. Contact shibboleth@iastate.edu for more information.

Status

The Status determines whether this Service Provider will be included in the configuration file.

Marking a Service Provider as InActive will cause it to be omitted from its Web Server's configuration file until it is re-marked as Active.

Web Server

The Web Server is the hostname of the actual (physical or virtual) machine running your webserver software (e.g. Apache).

This field is used to collect the configuration information for all the Service Providers (possibly only one) running on a given machine into the appropriate files for download to that server.

To move a service to a new host you will need to delete the old entry and create a new one (so you can download and install the new configuration files for both servers).