IT Services

Shibboleth Service

Title of Service: Shibboleth Service

Status of Document: This document describes services offered in June 2011.


1. Introduction

The Shibboleth Service provides middleware for the authentication of Oxford users and the release of a defined attribute set, via an Identity Provider (IdP) to trusted Shibboleth Service Providers (SP). Shibboleth facilitates federated access management where the user's home institution authenticates the user and the Service Provider decides, on the basis of attributes received from the home institution, what authorisation, if any, the user has to access a networked resource. The implementation of Shibboleth at Oxford interoperates with Web-based Single Sign On (Webauth) to enable authenticated access to trusted networked systems (whether the user is within or outwith Oxford). The Shibboleth IdP service can be used to support access to systems within Oxford where a Shibboleth Service Provider is considered more appropriate than the direct implementation of Webauth, including access to an Oxford system by remote users using their home institution's IdP. Examples of services where the end-user will encounter Shibboleth include:

This service is owned by the Systems Development and Support Section Manager and was released for general use in July 2007.

Overview of Service

This service is provided for use by registered ITSS wishing to authenticate Oxford users to internal or remote Web-based services.

2. Summary of OUCS’s responsibilities

Hours of Service

2.1 The service is offered as follows:

2.2 OUCS will commence investigation of reported faults within one hour when full technical support is available (provided that no similar fault is already being handled by the same team).

Serviceability Targets

2.3 It is intended, as far as is possible, to maintain service of all components at all times.


2.4 The service infrastructure employs fault tolerance to reduce the risk of component failure impacting availability of the service.

Alternative Facilities

2.5 There are various methods of providing protected access to services: this is the only University shared service for federated access management.

Hardware and Software Maintenance

2.6 The machines used are maintained under warranty by the supplier.

2.7 Software updates are applied by OUCS staff – this is done with the minimum of interruption to service. Any scheduled downtime for maintenance or upgrade will be notified at least 24 hours in advance.

Administration and Support

2.8 OUCS is responsible for managing Oxford University's membership of the UK Access Management Federation, including ensuring compliance with the Federation's Rules of Membership.

2.9 OUCS maintains the Shibboleth IdP Attribute Release Policy (ARP). Currently, and in line with the UK Federation's recommendations, the Shibboleth IdP releases on request by a remote Service Provider, any of the following attributes:

Other attributes may be released on request by an authorised Oxford service owner or provider (e.g. ITSS).

2.10 Notification of faults, outages, etc is circulated on the mailing list

2.11 Technical support (operations and 2nd/3rd line user support) for the service is provided by OUCS. Service requests and fault reports relating to the service should be sent to the OUCS Help Centre.

2.12 User support (1st line) for the service is provided through a combination of local IT support (via local ITSS) and the OUCS Help Centre. Users should seek support from their local ITSS in the first instance. Local ITSS may refer a user to OUCS, or contact OUCS on behalf of a user. Users and ITSS may always contact OUCS about any aspect of the service. The initial point of contact for user support at OUCS is the Help Centre - in person, by telephone, or using our contact form.

Education and Training

2.13 Not applicable.

3. Summary of client’s responsibilities

3.1 Departments and colleges deploying a Shibboleth Service Provider interoperating with the central Shibboleth Identity Provider must comply with any applicable terms of usage, whether of OUCS or the UK Federation.

3.2 End-users are responsible for maintaining the security of their Single Sign-on password, and in particular for ensuring that authenticated sessions are not left in operation unattended or after the user has finished using them.

4. Premium services

Not applicable.