This page provides a very short and non-technical introduction about the general procedure of a Shibboleth login. Once you have read through this page, the medium demo will describe the same procedure in greater detail while guiding you through a live demo. Finally, if you still can bear some more technical details, read the expert demo.
The setting: A user of 'University B' wants to access a Shibboleth protected e-learning
resource 'Medical Training 1' hosted on
Fig. 1 shows an overview of the involved objects.
Figure 1: General overview
This introduction is focused on the user's view. It neither explains why something happens,
how it comes nor does it explain technical details.
All names and addresses are imaginary and not related to SWITCHaai.
Step 1 - User connects to Resource and is redirected
Figure 2: User accesses resource in his web browser
The user wants to access a resource hosted on
Provided the user did recently access another Shibboleth protected resource, access to this resource may be granted immediately. Otherwise, the user has first to authenticate at his Home Organization 'University B'.
Because the resource has no knowlegde yet about the user's Home Organization, the user's web browser gets redirected to the Discovery Service (aka. WAYF - 'Where Are You From' service). In this example the user is redirected to www.wayf.ex.
Step 2 - Home Organization Selection
Figure 3: User selects his Home Organization
The role of the Discovery Service is to present a list of Home Organizations to the user.
The user selects his Home Organization 'University B' and is redirected
back to the resource, which sends an authentication request via the user's web browser to the
selected Home Organization. Thus, the web browser is redirected to the login page of the user's Home Organization at
In case the Home Organization has been selected earlier and remembered in the web browser, the manual selection at the Discovery Service might be skipped.
Step 3 - User Authentication at his Home Organization
Figure 4: User authenticates himself at his Home Organization
The user sees the familiar login page of 'University B' and provides his login name and password. If login name and password are correct, the user is redirected back to the resource on www.resource.ex that he initially wanted to access.
Step 4 - Access to Resource Granted
Figure 5: User is granted access to resource
After the successful authentication at the user's Home Organization, the resource can now decide whether to grant or deny access to the user. The decision is based on the user's details provided by the Home Organization to the Resource. Because the Home Organization will only release user details that are absolutely needed in order to take this decision, data protection is assured.
Summary - Shibboleth Login Procedure
Figure 6: Summary of a complete login procedure
The Shibboleth login process is almost like any other login process. To access a protected resource, the user has to authenticate. However, in Shibboleth's case the user authenticates not at the resource itself but at his Home Organization. He does not need an additional account at each resource nor has he to provide his username and password to third parties, but only to his Home Organization.
Once a Shibboleth user is authenticated, he can access any other Shibboleth-enabled resources without providing his login name and password again. This is only necessary again if the user closes his web browser or if no Shibboleth resource is accessed for some time.
Medium Demo and More Details
|This simple demo was a preparation for the medium demo that allows you to step through the whole sequence yourself with your own web browser.|
|More technical details and information can also be found on the expert demo page.|