How it works

The UK federation uses the standards based Shibboleth software, developed by the Internet 2 community in the United States to facilitate the sharing of web resources that are subject to access control.

The Shibboleth architecture defines a way of exchanging information between an individual and a provider of digital data resources. Shibboleth is able to protect both the security of the data and the privacy of the individual viewing it. For further information see this Shibboleth Concepts page.

The common framework for access management defined by Shibboleth is being adopted by education communities across the globe.

Shibboleth Flow Diagram

Please note that this flow corresponds to the legacy SAML 1 protocol. We recommend that you use the newer SAML 2 protocol, which is better defined and requires a simpler network configuration.

This diagram shows the flows which can occur during a typical Shibboleth-enabled transaction, with the browser user arriving at the Service Provider site without an existing session and without any information about the user's home institution being known by the Service Provider. There are many variations on this flow, most of them a lot simpler. In addition, later versions of Shibboleth will be able to operate in other ways; and the terminology used to refer to components is subject to change. However, this is offered as a starting point.

  1. The User attempts to access a Shibboleth-protected resource on the Service Provider site.
  2. The User is redirected to the federation WAYF.
  3. The User select his or her home institution (*Identity Provider) from the list presented by the WAYF.
  4. The Identity Provider, by whatever means it deems appropriate, ensures that the User is authenticated.
  5. After successful authentication, a one-time Handle (session identifier) is generated for this User session and is sent to the Service Provider.
  6. The Service Provider uses the Handle to request attribute information from the Identity Provider for this User.
  7. The Identity Provider, on the basis of its Attribute Release Policy, allows or denies attribute information to be made available to this Service Provider.
  8. Based on the attribute information made available to it, the Service Provider allows or refuses the User access to the resource.
    *Although the User's home institution is taken in the above summary to be equivalent to the Identity Provider, in fact an institution may choose to outsource the Identity Provider function to another organisation. However, this does not affect the principle of operation.