Open-source Identity Federation with Shibboleth (submission to EUNIS’2006 for a long paper)

Single Sign-On is widely deployed in the French Education/Research community, especially CAS [1]. In addition to improving the security, it allows users to authenticate once and use several web applications, as long as the applications are proposed by their institution. New projects in France now encourage the cooperation between universities, making them share web resources (documents and applications). In the first part, we list these new usages: Opening local web resources to the members of other institutions, Manage an intranet for a geographically distributed population, Inside an establishment, extend SSO features to the propagation of user attributes, Manage the authentication of users at the frontier of institutions (ancient or future students for instance), From the portal of an institution, read electronic publications proposed by commercial partners. We show that Single Sign-On technologies are not sufficient to handle these new needs, and that multiplying the authentication databases is very time-consuming and obviously not scalable (cf figure 1).