Shibboleth (DFN-AAI) is a virtual infrastructure that was developed by the American-based Internet2 Community / MACE Group(http://www.internet2.edu), starting in 1998. The aim was to have a simple and transparent, but at the same time secure procedure for unambiguous authentication and authorisation of persons in order to use distributed licensed web applications.

The term Shibboleth (DFN-AAI) goes back to the Hebrew word shibboleth (Hebr. שבולת) and is used today in the sense of code word or password.

In addition to freely accessible information and applications, universities also offer a large number of commercial web publications that they buy or license from publishers and other providers. As a rule, only staff and students of the respective university may access these as authorised users. In addition, external users, as long as they are on the library's premises (walk-in users). Shibboleth (DFN-AAI) is a browser-based infrastructure that simplifies and streamlines the secure authentication of persons and the allocation of authorisations. Users only need to log in at one point - via their home university - and can then access many different services and network publications. This is also referred to as Single-Sign-On (SSO). It is completely irrelevant which terminal device is used.

Shibboleth (DFN-AAI) is mainly used in the field of higher educational institutions, i.e. in the field of universities, scientific publishers and other providers of scientific content.

In order to authenticate yourself with Shibboleth (DFN-AAI), you need your valid University account, i.e. the access you received from the Centre for Information and Media Technologies (IMT) at Paderborn University when you started your studies or your job (cf. a. https://imt.uni-paderborn.de/uni-account/).

WAYF stands for the question: Where are you from? The service or form is set up as an entry point to Shibboleth (DFN-AAI) by the publishers as a service provider. Select your home institution here: Paderborn University / Paderborn University Library (there are varying names, also in English). From here you can access the registration form for your university account.

All universities and publishers participating in the Shibboleth (DFN-AAI) system must be members of a higher-level federation. The federations are country-specific and regulate the cooperation of all participating partners via binding legal and technical standards. In Germany, this is the Association for the Promotion of a German Research Network - DFN-Verein. The structure within which this takes place is the so-called authentication and authorisation infrastructure, or DFN-AAI for short. (cf. a. https://www.aai.dfn.de/).

In the Shibboleth (DFN-AAI) concept, three parties play a role:

1. The person who has authorisation to use licensed network publications and services. At Paderborn University, these are the staff and students. They are defined as members = member@uni-paderborn.de. Persons with the status GAST are not classified as authorised users.
2. The institution - Paderborn University - to which the person belongs and which provides licensed net publications and services. It authenticates the user and grants rights. It is the identity provider - IdP.
3. The provider or publisher who makes content and network publications available. It verifies the authorisation of both the licensing institution and the user and grants access to a commercial network resource. He is the Service Provider - SP.

The single sign-on procedure allows you to use other licensed net publications within one browser session with a one-time login via your personal university account. Your browser settings must allow cookies for this.

For example, you have registered for ScienceDirect via Shibboleth (DFN-AAI) with your university account. In the course of your research, you are offered further literature, e.g. a full text, which is anchored under SpringerLink. You do not need to log in to SpringerLink again, as long as your browser session remains active. If necessary, you will only be asked again for the institution (Where are you from?).

Paderborn University as Shibboleth (DFN-AAI) identity provider has configured the procedure in such a way that the minimum requirements of the authorisation and authentication infrastructure of the German Research Network DFN-AAI are met. As a rule, no personal data such as names or e-mail addresses are transmitted, but your assigned status and an associated value. The basis of this value is a contract that both the identity provider - the Paderborn University - and the various service providers - the publishers - have concluded with each other via the higher-level federation - the DFN-AAI. These are the so-called common-lib-terms.

Employees and students of Paderborn University have the status of "member": member@uni-paderborn.de. The following value is also transmitted: urn:mace:dir:entitlement:common-lib. Both together bindingly indicate to a service provider that the Paderborn University has given an employee or a student the authorisation to use the respective network resource.

Exception: Use of the platform "DATEV Students online" . The platform provides e-learning applications for which certificates are issued and sent electronically. The following (personal) data is transferred: surname, first name, university e-mail address. The transmitted data is displayed in the Shibboleth registration process and confirmed by the user. The storage can be revoked at any time.

Resources and services must be licensed

Access via Shibboleth (DFN-AAI) only works if the desired information medium is licensed by Paderborn University Library. Without a licence, access to e-books, e-journals and databases will be denied. Information on the licence status can be obtained via our catalogue, via the Electronic Journals Library EZB or via the database information system DBIS.

There must be a valid membership in the Federation

The provider or publisher must be a member of the DFN-AAI Federation as a service provider and must recognise and sign the binding framework conditions for cooperation. Only then will it be activated for Shibboleth (DFN-AAI) use.

Cookies must be allowed

Shibboleth (DFN-AAI) only works if the setting of cookies is permitted on the terminal device you are using. If in doubt, check your browser settings to see if this is the case. If not, this setting must be made.

The listing of the publishers in which the home institutions are listed is the so-called WAYF service (=Where are you from?). This can be structured differently for each publisher and contain different terms in both German and English.

Make sure you have selected the correct country = Germany / German Higher Education / or: DFN-AAI.

The following terms are used to designate the home institutions: University / University Library / University of Applied Sciences. The alphabetical order varies greatly. With some WAYF services, there is a certain lack of clarity at this point. In some cases, however, there are search slots where you can enter the keyword PADERBORN and quickly find what you are looking for.

Note: If Paderborn University is not listed in a WAYF service, there may not be an active licence for this information medium or the publisher has not yet been set up for the Shibboleth (DFN-AAI) service.

Be sure to end your active Shibboleth (DFN-AAI) session! To do this, close the browser completely - including all open TABS. On publicly accessible PCs, please also delete the cache and cookies. This is the only way to guarantee that no one else uses your personal university account.

Shibboleth (DFN-AAI) and VPN are procedures that enable access to licensed network publications and services from outside the university network. These are two completely different systems:

When accessing via VPN, a client must first be downloaded and installed on a specific end device. This connects two networks securely and in encrypted form. VPN enables access to the university network in its entirety. Repeated logins for different services or applications are not necessary.

Since VPN use requires the installation of special software (VPN client), use depends on the particular end device on which the VPN client is installed.

When accessing via Shibboleth (DFN-AAI), you use an internet-based procedure by logging into the desired network resource via your university account = Institutional Login / Login via your own institution.

Shibboleth (DFN-AAI) can be used independently of end devices and software installed on these end devices.

Shibboleth does not allow access to the university network as a whole, but rather access via providers (e.g. publishers) and their products, which can, however, usually be used across the board by way of Single-Sign-On (SSO). Occasionally, a new login is required when switching from different offers (e.g. when accessing the content of several publishers).

Please contact erwerbung@ub.uni-paderborn.de if you have any problems.