Community News

Team Finland presents Shibboleth OIDC extension

Greetings from the first blog post of the GÉANT Trust & Identity Development Team Finland! We, Henri & Janne (or vice versa as we try to balance it out) have been nicknamed as Team Finland as even our e-mails come as a common message together and all work done related to Shibboleth OpenID Connect (OIDC) extension in the GÉANT Project is our joint effort. Needless to say you are now reading something we have written together.

Shibboleth  is the most widely used federated identity solution in eduGAIN today, both for Identity Providers and Service Providers, and while eduGAIN presently is a SAML2 world, there has been growing interest among federations to also support OpenID Connect (OIDC).

Late 2016, we in Team Finland suggested in the OIDCfed working group  meeting held in Espoo that given our interest and background we could best serve the task by implementing native OIDC support for Shibboleth IdP, as part of the GÉANT Trust and Identity Development Activity. The goal for us was to implement an OIDC extension for Shibboleth with the ambition that it would be considered as a legitimate, production oriented extension for Shibboleth and hopefully even to be considered by the Shibboleth consortium to be included in main releases upstream.

Since the work started, we have had the pleasure of both trying to deeply understand Shibboleth architecture, OIDC protocol and how to combine those two together. We set off with a kickoff with Shibboleth Development team, and thank them for ongoing support! -The work has not been trivial, and while we are still sometimes challenged  by both aspects of the task (Shibboleth and OIDC) we are also very excited about what we have learned and produced already.

Just before Christmas 2017, we released the first alpha version which gave a very good example of bridging the two worlds. This version contained support for ‘implicit flow’, which is the workflow resembling the most popular SAML2 profile in use, where attributes are pushed to the relying party in the first response message. In the OIDC world however, this flow is not as widely known as authorization code flow, which contains a backend call to the OP (IdP in the SAML world), similar to SAML2 attribute queries. Interestingly many OIDC RP implementations assume that developers and deployers prefer the authorization code flow, so a second release from us was the second alpha in March 2018, supporting also authorization code and hybrid flows.

From our perspective, this second release gathered a lot of general attention. People from the wider Shibboleth user community, who we did not formerly know, started testing the software and also sharing some experiences with us. It has been satisfying and encouraging to realize that people have managed to first get the software successfully running, but more importantly understood the existing features, limitations and configuration logic etc so well that they can propose improvements! That’s the most valuable input for us, as it helps us  to foresee how this product is going to be deployed.

As well as working with the Shibboleth team, we have been preparing for certification by the OpenID Foundation, ensuring the profile can pass the needed tests. The first checks have passed with flying colours and we’re confident of passing the formal certification.

You can find the latest releases at github and try it out yourselves. So, keep on communicating any comments, suggestions, whatsoever!

Just before summer vacation, we will respond to some of these improvement propositions with a new alpha release. Then it’s time to recharge batteries in the nice Finnish summer weather (usually only minimal snow) before continuing the development from the end of July onwards.

Iloisia kesän odotuksia yhteistyöterveisin

Team Finland

P.S. Janne will attend the TNC 2018 conference in Trondheim: find him to get any information more detailed than  this blog post 😉