Simple Demo

This page provides a very short and non-technical introduction about the general procedure of a Shibboleth login. Once you have read through this page, the medium demo will describe the same procedure in greater detail while guiding you through a live demo. Finally, if you still can bear some more technical details, read the expert demo.


The setting: A user of 'University B' wants to access a Shibboleth protected e-learning resource 'Medical Training 1' hosted on www.resource.ex.
Fig. 1 shows an overview of the involved objects.

Intro Overview

Figure 1: General overview

This introduction is focused on the user's view. It neither explains why something happens, how it comes nor does it explain technical details.
All names and addresses are imaginary and not related to SWITCHaai.

Step 1 - User connects to Resource and is redirected

Resource Request

Figure 2: User accesses resource in his web browser

The user wants to access a resource hosted on www.resource.ex.
Provided the user did recently access another Shibboleth protected resource, access to this resource may be granted immediately. Otherwise, the user has first to authenticate at his Home Organization 'University B'.
Because the resource has no knowlegde yet about the user's Home Organization, the user's web browser gets redirected to the Discovery Service (aka. WAYF - 'Where Are You From' service). In this example the user is redirected to www.wayf.ex.

Step 2 - Home Organization Selection


Figure 3: User selects his Home Organization

The role of the Discovery Service is to present a list of Home Organizations to the user. The user selects his Home Organization 'University B' and is redirected back to the resource, which sends an authentication request via the user's web browser to the selected Home Organization. Thus, the web browser is redirected to the login page of the user's Home Organization at www.uni-b.ex.
In case the Home Organization has been selected earlier and remembered in the web browser, the manual selection at the Discovery Service might be skipped.

Step 3 - User Authentication at his Home Organization

Authentication at HomeOrg

Figure 4: User authenticates himself at his Home Organization

The user sees the familiar login page of 'University B' and provides his login name and password. If login name and password are correct, the user is redirected back to the resource on www.resource.ex that he initially wanted to access.

Step 4 - Access to Resource Granted

Access Granted

Figure 5: User is granted access to resource

After the successful authentication at the user's Home Organization, the resource can now decide whether to grant or deny access to the user. The decision is based on the user's details provided by the Home Organization to the Resource. Because the Home Organization will only release user details that are absolutely needed in order to take this decision, data protection is assured.

Summary - Shibboleth Login Procedure

Complete Demo

Figure 6: Summary of a complete login procedure

The Shibboleth login process is almost like any other login process. To access a protected resource, the user has to authenticate. However, in Shibboleth's case the user authenticates not at the resource itself but at his Home Organization. He does not need an additional account at each resource nor has he to provide his username and password to third parties, but only to his Home Organization.

Session End

Once a Shibboleth user is authenticated, he can access any other Shibboleth-enabled resources without providing his login name and password again. This is only necessary again if the user closes his web browser or if no Shibboleth resource is accessed for some time.

Medium Demo and More Details

This simple demo was a preparation for the medium demo that allows you to step through the whole sequence yourself with your own web browser.
More technical details and information can also be found on the expert demo page.