Shibboleth model of Service Providers (SPs) and Identity Providers (IdPs) (a follow up to the IRC)

Skip to first unread message

Feb 20, 2013, 5:02:25 PM2/20/13
Hi all,

I sent the message below to Phil Durbin following the IRC Chat of Feb 13.

It most importantly covers the Shibboleth model of IdPs (and SPs.  The Shib design center is a bit different from what some people on the call were assuming, so I wanted to provide clarification. 

I also discuss providing local login along with Shib authentication, and the idea of building your own SP.

Phil suggested I post the message here.  So, belatedly, that's what I'm doing (below my signature).

Marlena Erdos (one of the co-creators of the original Shibboleth and SAML specs)

Hi Phil,

I hope you found my participation in today's IRC chat useful.

I wanted to go over some high points (as I recall them):

I clarified that an SP doesn't need (or even have) a "home" IdP.   The user has a home institution and IdP, but that's entirely distinct.   The design center of SAML and Shibboleth is that of an SP having relationships and accepting  assertions about users from multiple IdPs/institutions.

I also brought up two possibilities for dealing with users who don't have an IdP at their home institution.  The first is to offer "local login" on the "where are you from page" you'll need to put up when  user first contacts the Dataverse.   The second is to tell users to get a login from "ProtectNet" or another free IdP.  Seeing as you don't do identity proofing of users, I don't see a security difference between a user logging in via ProtectNet and logging in via a local identity and password that the Dataverse is storing.   The advantage to going to an "all IdP" solution is uniformity of user experience -- and that the Dataverse gets out of the business of password management.

I noted that you are considering building your own SP to avoid a dependency on apache httpd (and presumably also IIS).   I merely want to mention that you should keep in mind that the InCommon SP offers rich attribute handling facilities.  You might not need them now but you might want them in the future.  I'll also note that you'll need to leave time in your schedule for interoperatibility testing if you build your own SP.  And you'll need to keep up with developments with the InCommon IdP.  All of this might be "easy" -- I can't tell.  I thought it was worth mentioning.


Philip Durbin

Feb 21, 2013, 9:15:48 AM2/21/13
Thanks, Marlena. Much appreciated.

Writing a custom SAML Service Provider (SP) within DVN would be a last
resort, I think. I listed it last at . Mostly this idea
came from a conversation I had in #glassfish on Freenode:

Per that Redmine update, OpenAM is what I'm planning to try first
(after I work more on a different project: Solr). OpenAM seems
especially nice because it supports not only SAML but 18 other
"modules" such as OAuth, LDAP, RADIUS, etc.:

SAML support in OpenAM comes from the "Federation" module:

In short, the hope would be that OpenAM provides a flexible framework
to support multiple authentication methods. Time will tell how it pans
out. Their mailing list is very responsive!

Also, thanks for pointing out that accounts at are free. I didn't realize that.

> --
> You received this message because you are subscribed to the Google Groups
> "Dataverse Users Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
> For more options, visit

Philip Durbin
Software Developer for
Reply all
Reply to author
0 new messages