This page gives a very short and non-technical introduction about the general procedure of a Shibboleth login. Once you have read through this page, the medium demo will show you the same procedure more detailed while guiding you through the live Demo. Finally, if you still can bear some more technical details, read the expert demo.
The setting: A user of 'University B' wants to access a Shibboleth protected e-learning resource 'Medical Training 1' hosted on www.resource.ex.
Fig. 1 summarizes the various steps of the login procedure.
Figure 1: General overview
The user's view is in the focus of this introduction. It neither explains why something is, how it is nor does it explain technical details.
All names and addresses are imaginary and not related to SWITCHaai.
Phase 1 - User connects to Resource and is redirected
Figure 2: User accesses resource in his web browser
The user wants to access a resource hosted on www.resource.ex.
Provided the user did recently access another Shibboleth protected resource, access to this resource may be granted immediately. Otherwise, the user has first to authenticate at his Home Organization 'University B'.
Therefore, the user's web browser gets redirected to the WAYF ('Where Are You From') server. In this example it is on www.wayf.ex.
Phase 2 - Home Organization Selection
Figure 3: User selects his Home Organization
The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his Home Organization 'University B' and is redirected to its login page at www.uni-b.ex.
In case the Home Organization has been selected earlier and remembered in the web browser, this step might be skipped.
Phase 3 - User Authentication at his Home Organization
Figure 4: User authenticates himself at his Home Organization
The user sees the familiar login page of 'University B' and provides his login name and password. If login name and password match, the user is redirected back to the resource on www.resource.ex he initially requested.
Phase 4 - Access to Resource Granted
Figure 5: User is granted access to resource
After successful authentication at his Home Organization, the resource decides on granting or denying him access. In the background, the Home Organization provided minimal user details to the Resource, which it requires for the access authorization decision and for delivering its service. Data protection is assured.
Summary - Shibboleth Login Procedure
Figure 6: Login procedure
Basically, the Shibboleth login process is like any other login process. To access a protected resource, the user has to authenticate. However, in our case the user authenticates himself not at the resource itself but at his Home Organization. He does not need an additional account at each resource nor has he to provide his username and password to third parties, but only to his Home Organization.
Once a Shibboleth user is authenticated he can access any other Shibboleth-enabled resources without providing his login name and password again. This is only necessary if the user closes his web browser or if no Shibboleth resource is accessed for some time.
Medium Demo and More Details
|This easy demo was a preparation for the medium demo that allows you to step through the whole sequence yourself with your own web browser.|
|More technical details and information can also be found on the expert demo page.|