Federated Authentication in a Hierarchy of IdPs by Using Shibboleth

摘要

By using widespread single sign-on (SSO) technologies, it is becoming common that services are provided in the form of SSO. However, it is also becoming common that the structure of IdPs is complex. A single person may have his/her identity in an organizations, in its sub organizations, and possibly in a virtual organization. A problem is that such identities are provided by independent IdPs. Considering that a major motivation of SSO is that we can reduce cost by integrating authentication, this scenario is never desirable. To solve this problem, we propose a hierarchy of IdPs. In particular, an IdP in a sub organization can rely on assertions of its parent organization, which enables authentication delegation. Moreover, delegation of authentication introduces hierarchy of trust. We define its protocol based on the idea that an IdP also issues authentication request to other IdPs as usual SPs. Its prototype implementation on Shibboleth is also shown. Our authentication delegation is widely applicable to actual scenarios in hierarchically organized institutions and virtual organizations.