(Work in Progress, this is going to take a while...)

Shibboleth has a lot of moving parts and can be very complex to configure. Since many people have trouble understanding how the system works and what many of the configuration options do, it seems useful to try and actually provide a detailed walkthrough of what the SP and !IdP actually do in a typical transaction from end to end, and how the configuration files, metadata, and so forth actually work.

As you can imagine, this is not simple to do. A complete walkthrough is somewhat like English pseudocode for the implementation, which is quite large. Hopefully this can serve as a reasonable start and improve over time. Note that not every possible path through the implementation is presented here, but the most common aspects will be covered.

Something that I hope will be clear is how critical MetaData is to the entire system. Virtually every key decision is made based on knowledge of the peer in order to create, validate, and process the XML messages.

It should also be understood that this is currently based on how ShibOnedotThree works today. Various aspects of the system will change in upcoming versions. Some notes on this will be indicated when possible.

  1. Initial Access to ServiceProvider, AuthnRequests, SessionInitiators
  2. To the IdentityProvider: UserAuthentication and the SingleSignOnService
  3. BrowserPOST or BrowserArtifact Profile Response
  4. Back to the ServiceProvider: AssertionConsumerServices
  5. Optional AttributeQuery
  6. Resource Requests and Session Validation