Shibboleth

Shibboleth is an open-source federated identity suite that implements SAML 2.0 (and legacy SAML 1.1) for Single Sign-On (SSO) across institutions. It includes the Identity Provider (IdP) and Service Provider (SP) components, widely used in education and research federations (e.g., InCommon, eduGAIN). Shibboleth can integrate with LDAP/AD, and newer versions add OpenID Connect (OIDC) extensions via an OP plugin.

Key Capabilities

  • SAML 2.0 federation: Implements all required profiles and bindings (HTTP-POST, Redirect, Artifact, SOAP) for IdP/SP interoperability.

  • OpenID Connect (optional): The OIDC OP plugin adds OIDC/OAuth 2.0 provider functionality to Shibboleth IdP (Core + OP extensions).

  • Directory integration: Native connectors for LDAP and Active Directory, supporting attribute resolution and filtering.

  • Attribute release policies: Fine-grained attribute filters and consent UI to control what data the IdP releases to each SP.

Limitations

  • Configuration complexity: XML-based configuration and metadata management require federation experience; steep learning curve compared with cloud IdPs.

  • OIDC maturity: OIDC OP plugin is stable but newer; not enough public information to confirm support for PAR, DPoP, or mTLS-bound tokens/FAPI

  • No SCIM provisioning: Shibboleth focuses on authentication/federation—no built-in SCIM 2.0 provisioning service.

  • Operations footprint: Self-hosted (Java IdP, Apache/IIS SP), requiring patching, cert rotation, and metadata refresh automation.

  • Web SSO focus: Primarily SAML-browser–based; API/Mobile token use cases are limited unless using the OIDC plugin or external OAuth server.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales