Centralized Control of Account Migration at Single Sign-On in Shibboleth

Abstract

Single Sign-On (SSO) is adopted to use multiple services with a single log-in on the Internet. However, when a user tries to change the identity provider (IdP) which is responsible for authenticating the user, he needs to release the binding between the log-in account on the migration-source IdP and his service account on each service provider (SP) and needs to set a new binding between the account on the migration-destination IdP and the service account on the SP. There is no common migration system to support migration using the SSO function. In this research, we focus especially on Shibboleth's function as an SSO service. We propose a protocol to migrate accounts of a user on multiple SPs at once using an attribute provider (AP) in an SSO environment. We have implemented the mechanism as an open-source software using SimpleSAMLphp.