A Multi-protocol Authentication Shibboleth Framework and Implementation for Identity Federation

  • Mengyi Li
  • Chi-Hung ChiEmail author
  • Chen Ding
  • Raymond Wong
  • Zhong She
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)


One of the challenges for Single Sign-On (SSO) is the multiprotocol federation in identity management. Even though projects such as Shibboleth provide good identity management framework, they usually support single protocol such as Security Assertion Markup Language (SAML). With the movement of increasing service collaboration in the cloud, identity federation needs to be extended to cover multiple identity protocol standards. In this paper, we propose an online distributed multi-protocol identity management framework Sh-IDaaS (Shibboleth-based Identity-as-a-Service) which could discover multiple user identity services in the Shibboleth environment. The framework enables federation of various identity services by binding different identity providers to a special discovery service, even if they support different identity protocols. Based on the Shibboleth framework, we describe the detailed design and implementation of our pluggable Sh-IDaaS architecture. Analysis of interoperability and performance of our Sh-IDaaS framework prototype is also provided to justify its feasibility and practicability.


Authentication Identity Single Sign-On Identity-as-a-Service 


  1. 1.
  2. 2.
    The Shibboleth Project 2007.
  3. 3.
    OASIS Security Assertion Markup Language (SAML) V2.0, April 2005.
  4. 4.
    The Liberty Alliance Project.
  5. 5.
    Nanda, A.: Identity selector interoperability profile V1.0. Microsoft Corporation (2007) Google Scholar
  6. 6.
    OpenID Specifications, OpenID Foundation (2007).
  7. 7.
    Blaze, M., Kannan, S., Lee, I., Sokolsky, O., Keromytis, A., Lee, W.: Dynamic trust management. IEEE Comput. 42(2), 44–52 (2009)CrossRefGoogle Scholar
  8. 8.
    Cantor, S. (ed.): Shibboleth Architecture. Protocols and Profiles, 10 September (2005).
  9. 9.
    Grimm, C., Groeper, R.: Trust issues in Shibboleth-enabled federated grid authentication and authorization infrastructures supporting multiple grid middleware. In: Proceedings of the 3rd IEEE International Conference on e-Science and Grid Computing, pp. 569–576 (2007)Google Scholar
  10. 10.
    Ragouzis, N., et al.: Security Assertion Markup Language (SAML) V2.0 Technical Overview. OASIS Committee Draft, Document ID sstc-saml-tech-overview-2.0-cd-02, March (2008).
  11. 11.
    Lewis, K.D., Lewis, J.E.: Web single sign-on authentication using SAML. Int. J. Comput. Sci., 2 (2009)Google Scholar
  12. 12.
    Reed, D., Chasen, L., Tan, W.: OpenID identity discovery with XRI and XRDS. In: Proceedings of the 7th Symposium on Identity and Trust on the Internet, pp. 19–25 (2008)Google Scholar
  13. 13.
    Recordon, D., Reed, D.: OpenID 2.0: a platform for user centric identity management. In: Proceedings of the 2nd ACM Workshop on Digital Identity Management, pp. 11–16 (2006)Google Scholar
  14. 14.
    Rieger, S.: User-centric identity management in heterogeneous federations. In: Proceedings of the 4th International Conference on Internet and Web Applications and Services, pp. 527–532 (2009)Google Scholar
  15. 15.
    Barton, T., et al.: Identity federation and attribute-based authorization through the globus toolkit, Shibboleth, GridShib, and MyProxy. In: Proceedings of the 5th Annual PKI R&D Workshop (2006)Google Scholar
  16. 16.
    Widdowson, R., Cantor, S. (ed.): Identity Provider Discovery Service Protocol and Profile. 27 March (2008). sstc-saml-idpdiscovery-cs-01.pdf
  17. 17.
    RFC 2109: HTTP State Management Mechanism,
  18. 18.
    Hodges, J.: Technical Comparison: OpenID and SAML, Draft 6. 17 January (2008).
  19. 19.
    Kim, S.H., Jin, S.H., Lim, H.J.: A concept of interoperable authentication framework for dynamic relationship in identity management. In: Proceedings of the 12th International Conference on Advanced Communication Technology, pp. 1635–1639 (2010)Google Scholar
  20. 20.
    Nenadic, A., Zhan, N., Chin, J., Goble, C.: FAME: adding multilevel authentication to shibboleth. In: Proceedings of IEEE Conference on e-Science and Grid Computing, p. 157 (2006)Google Scholar
  21. 21.
    Hiroyuki, S., Takeshi, N.: Federated authentication in a hierarchy of IdPs by using shibboleth. In: Proceedings of the 11th IEEE/IPSJ International Symposium on Applications and the Internet, pp. 327–332 (2011)Google Scholar
  22. 22.
    Almenárez, F., Arias, P., Marín, A., Díaz, D.: Towards dynamic trust establishment for identity federation. In: Proceedings of the Euro American Conference on Telematics and Information Systems: New Opportunities to increase Digital Citizenship, Article No. 25 (2009)Google Scholar
  23. 23.
  24. 24.
    Hatakeyama, M., Shima, S.: Privilege federation between different user profiles for service federation. In: Proceedings of the 4th ACM Workshop on Digital Identity Management, pp. 41–50 (2008)Google Scholar
  25. 25.
    Hatakeyama, M.: Federation proxy for cross domain identity federation. In: Proceedings of the 5th ACM Workshop on Digital Identity Management, pp. 53–62 (2009)Google Scholar
  26. 26.
    Takaaki, K., Hiroaki, S., Noritoshi, D., Ken, M.: Design and implementation of web forward proxy with shibboleth authentication. In: Proceedings of the 11th IEEE/IPSJ International Symposium on Applications and the Internet, pp. 321–326 (2011)Google Scholar
  27. 27.
  28. 28.
  29. 29.
    OpenID Authentication 2.0 Final, 5 December (2007).
  30. 30.
  31. 31.
  32. 32.
  33. 33.

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Mengyi Li
    • 1
  • Chi-Hung Chi
    • 2
    Email author
  • Chen Ding
    • 3
  • Raymond Wong
    • 4
  • Zhong She
    • 5
  1. 1.Tsinghua UniversityBeijingChina
  2. 2.Data61, CSIROCanberraAustralia
  3. 3.Ryerson UniversityTorontoCanada
  4. 4.University of New South WalesKensingtonAustralia
  5. 5.IntelShare InitiativeMelbourneAustralia

Personalised recommendations