Trust and identity

Propelling OpenID Connect Forward: OIDC extension handed over to Shibboleth Consortium

Shibboleth Consortium to Support and Maintain Identification and Authentication Protocol Extension for Identity Federations Supporting Research and Education

BRISTOL, England, December 11, 2019 – The Shibboleth Consortium, a non-profit organisation that ensures the ongoing development, support and maintenance of one of the world’s most widely deployed federated identity solutions, announced today that it will now support and maintain the Shibboleth OpenID Connect (OIDC) extension that was developed specifically for the global research and education (R&E) community by the GÉANT (GN4-3) Project..

Shibboleth is an open-source project that provides a single sign-on software suite. The Shibboleth software is the most widely used federated identity solution in eduGAIN for both identity providers (IdP) and service providers (SPs). eduGAIN is a global service that provides an efficient, flexible way for participating federations, and their affiliated users and services, to interconnect.

The GÉANT Project, responsible for managing the development of the Shibboleth OIDC extension since 2016, is co-funded by Europe’s National Research and Education Networks (NRENs) and the EU to deliver a catalogue of advanced, user-focused services, and a successful program of innovation that pushes the boundaries of networking technology to deliver real impact to over 50 million users.

Manne Miettinen, senior expert, CSC – IT Center for Science in Finland, and NORDUnet representative to the Shibboleth Consortium Board commented: “I’m excited to see the handover of the Shibboleth OIDC extension from the GÉANT Project to the Shibboleth Consortium. The Board believes that the OIDC functionality in the Shibboleth IdP software will further strengthen the position of the Shibboleth software for the academic authentication and access federations, making it easier for universities to take advantage of a new generation of services using OIDC technology.”

OpenID Connect

Identity based authentication protocols provide a secure way for online users to access resources without having to expose their credentials. eduGAIN presently supports the Security Assertion Markup Language (SAML2) authentication protocols, however, there has been growing interest among enterprises and federations to also support the OIDC standard.

OIDC is another identity protocol that allows applications to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable manner.

Scott Cantor, senior systems developer at The Ohio State University and a leading developer on the Shibboleth project since its inception added, “OIDC is well-suited to a wide variety of deployment environments and is particularly attractive within the enterprise, a key constituency of the Shibboleth Consortium.”

Shibboleth OpenID Connect Extension in the GÉANT Project

In 2016, a working group was formed that brought together the Shibboleth development team and the GÉANT Next Generation Trust & Identity Technology team to implement native OIDC support for the Shibboleth IdPv3 software.

Niels van Dijk, work package leader of the GÉANT Trust and Identity Incubator, notes: “Much of the heavy lifting in the development was done by the Incubator team, specifically with  participation from the Finnish national research and education network, CSC. Throughout the development, the close collaboration with the Shibboleth development team has been very helpful. Not only to guide and support the development work of our team, but to ensure that the extension was a good fit with the overall Shibboleth product.”

In the beginning of 2019, after a number of alpha and beta releases, a production ready 1.0 version of the extension was released. It quickly gained interest and popularity among the wider Shibboleth user community, who continue to provide feedback for improvements on the Shibboleth OIDC extension.

In late October 2019, the extension was formally certified by the OpenID Foundation, a non-profit international standardization organization of individuals and companies committed to enabling, promoting and protecting OpenID technologies.

“The formal certification of the Shibboleth OIDC extension by the OpenID Foundation was felt to be a critical part of the work. With the certification in place, we have shown to be fully interoperable with the OIDC standard,” added van Dijk.

The journey of OIDC in the R&E world has just begun, but it already coalesced a community of identity professionals that are eager to use it and participate in its further development. Under the management of the Shibboleth Consortium and with continued support from the GÉANT Project, the working group anticipates wider adoption with the release of IdPv4 in 2020 and full integration of the code into the core Shibboleth software with IdPv5 in 2021.

Resources: