Shibboleth

The Virginia Tech Shibboleth project supports federated identity management among higher education and related institutions. Virginia Tech is a member of the popular InCommon federation. Most members of a federation participate in two distinct, complimentary roles:

1. Identity provider (IDP) - Every constituent of a federation must provide this service for the purpose of verifying the identity of users who belong to an institution on behalf of other federation members requesting identity verification. This is the “home institution” login component of Shibboleth. The IDP also provides the important role of providing information (attributes) about users when prompted by services.
2. Service provider (SP) - A service provided by a federation constituent that a user might want to access via Shibboleth. The IDP serves a supporting role for services offered by SPs, but distributed services made available to large numbers of users through the network effect of federation membership is the end result of the Shibboleth project.

A list of Shibbolized services available to InCommon federation members is available on the InCommon Wiki.

The VT Shibboleth IDP provides two principal services:

1. Authentication (identity assurance)
2. Attribute release

Authentication is currently available only to VT users with an active PID account. Attribute release is governed by a policy that can be defined at the scope of all service providers, federation member service providers, individual service providers, or any combination thereof.

There are currently two policy rules in effect. In all cases, no personally-identifying information is released to any service provider such that they could, individually or collectively, identify an end user based on any or all attributes.

The following attributes are released to all service providers.

• TransientID - A transient, opaque, session-based identifier that is specific to the requesting service provider.

• eduPersonTargetedID - A persistent, opaque identifier used to identify a user to a service provider. This identifier is cryptographically strong and unique to each service provider to ensure that the identity of the end user cannot be determined from the value.

The IDP releases the following attributes to any InCommon service providers:

• eduPersonScopedAffiliation - A set of normalized affiliations ending in ”@vt.edu” whose vocabulary is governed by the eduPersonAffiliation attribute described at http://www.nmi-edit.org/eduPerson/internet2-mace-dir-eduperson-200712.html; for example, all VT users possessing the “VT-STAFF” affiliation are presented as “staff@vt.edu” in this attribute. The mapping of VT affiliation to eduPersonAffiliation is discussed in detail below.

Since the vocabulary of the eduPersonAffiliation attribute, and consequently the eduPersonScopedAffiliation attribute, is controlled, the vocabulary of VT affiliation values must be mapped onto eduPerson schema values before release. Following is an interpretation of the official attribute mapping found in the attribute-resolver.xml configuration file used by the Shib IDP:

Any VT affiliations not mentioned in the above mapping are ignored and not released.