[Middle-L] Open ID versus Shibboleth

james@melcoe.mq.edu.au james@melcoe.mq.edu.au
Thu, 17 May 2007 10:39:37 +1000

Dear colleagues, 

OpenID is a great, simple technology for fostering single-sign-on among
some web applications. Many of the core concepts of OpenID are similar
to Shibboleth (in particular, applications don't manage users
themselves, instead, they rely on a separate identity service), so the
growth of interest in OpenID is helping us to move away from the endless
proliferation of names and passwords, and towards more efficient
handling of identity.

However, there is a key difference between most OpenID use and national
Shibboleth implementations like the Australian Access Federation (AAF).
In the OpenID world, a person to can claim to be anyone they like when
logging in to a service using OpenID. If I create an OpenID account
called "Bill Gates", then use this to log into your blog to post a
comment, then the comment will come from Bill Gates.

In the case of the AAF, your home institution (eg, university) stands
behind the Shibboleth assertion that you are who you say you are, and,
for example, that you are a staff member (not a student). This trusted
assertion is a combination of home institution policy and practices (eg,
how your institution establishes who you are and your attributes) as
well as the technology component enabled by Shibboleth. 

This difference between OpenID and Shibboleth is fundamental and
important for the formal education and research environment - if I can
assert anything I like about myself, this creates many potential risks.
That's not to suggest there are no potential risks with the AAF, but the
level of trust behind assertions is of a significantly different kind.

On a different note, the Shibboleth community has been closely tracking
Open ID, and hopes to soon support OpenID as an alternative assertion
that can be made from a trusted Shibboleth Identity provider - this
means you can use your trusted home institution login for both
Shibboleth federation logins, as well as any wider OpenID logins. Of
course, this doesn't stop anyone from having separate OpenID identities
if they choose, and potentially in the future, associating (or not!)
these external OpenID identities with their trusted home institution

It's worth noting that the article cited is more positive about
Shibboleth than it is implied - eg:
"In adopting Shibboleth, institutions are likely to put the internal
'identity' infrastructure in place that will make it relatively easy for
them to become OpenID Providers and Relying Parties."

This is not to say that Shibboleth can do everything today. The
management of self-asserted attributes is an evolving area, but the MAMS
work on the Autograph personal privacy management tool has made some
progress in this area. The issues associated with retaining identities
as people move between different educational organisations will also
need further work - but the concepts of "account linking" from the
related Liberty Alliance work seems to be the promising way to take this
forward. And as noted, adding an OpenID module to Shibboleth will be
very useful for those who want both approaches together.

But the lack of trust in OpenID is a serious problem for its widespread
use in the formal education and research sector; whereas "real trust" is
a core component of the AAF work that sits behind the Shibboleth
technology rollout.

Best wishes,


-----Original Message-----
From: middle-l-admin@aarnet.edu.au [mailto:middle-l-admin@aarnet.edu.au]
On Behalf Of Jane Hunter
Sent: Thursday, 17 May 2007 9:20 AM
To: middle-l@aarnet.edu.au
Subject: [Middle-L] Open ID versus Shibboleth

I was just at the WWW2007 conference where OpenID was being promoted as
way forward for single sign-on and identity management:

This article also suggests that it provides a viable and more open
than Shibboleth:

Prof Jane Hunter
School of ITEE
The University of Queensland
St Lucia, Australia
Ph  617 33651092
Fax 617 33654311
email: jane@itee.uq.edu.au