GÉANT Shibboleth OIDC plugin

Henri  Mikkonen
TrackTrack 2 -- Lille Scene
DescriptionDuring the past few years, OpenID Connect (OIDC) has been become a popular choice for implementing single sign-on to Web and native applications via trusted third party. Even though it has many similarities with SAML, especially the trust relationship establishment and validation processes are quite different. The GÉANT 4-2 project's task "Next Generation Trust and Identity Technology Development" has participated in drafting how an identity federation could be built with OIDC around federation operator. The specification draft is called OpenID Connect Federation (OIDCfed).

Even if the OIDCfed would gain popularity very quickly, the SAML will not be disappearing anytime soon. In practise this means that both protocols will need to be supported for quite some time. Ideally same existing software would support both of these technologies, as system administrators are already used to operating identity providers in a federation with their preferred software. In many countries, Shibboleth has been very common choice for running the identity provider in research & education federations: for instance in Finnish Haka  

and Swiss SWITCH-AAI almost all IdPs are run on Shibboleth. For the mentioned reasons, we have seen important that Shibboleth IdP would support the OIDC protocol. The implementation project started on Spring 2017 and its main goal has been to implement the standard OICD and OIDCfed support natively on Shibboleth IdP.

This talk will focus on the implementation project: how it all started and how it has been progressing during the past 1.5 years. We will also demonstrate the technical details, including how the OIDC features are configured using the familiar Shibboleth configuration files.

Presentation documents

All talks