Shibboleth und DFN-AAI

Shibboleth is the technology widely used in higher education and research environments that serves as an authentication and authorisation infrastructure (AAI) for web applications. In this process, a user can also access services of other universities and providers with his or her local identifier, e.g. e-learning offerings, libraries or software providers.


The  Shibboleth software forms the technical basis that opens up a constantly growing range of services on the web to owners of active LRZ, TUM and LMU accountss, see the directory of service providers in the DFN-AAI.

As a user or as a web administrator, you will find further information in the following sections:



Features and Properties of Shibboleth

  • Distributed authentication and authorisation: The local account can be used to log in to local services as well as to services offered by other institutions (federated identity management, FIM).
  • Web applications: Shibboleth can primarily be used for web applications. In addition to university offerings (portals, wikis, learning systems, etc.), commercial providers also use Shibboleth (e.g. online publishing offerings, software distribution). However, with the ECP protocol, it is possible to log on to stand-alone applicationss (e.g. at LRZ Sync+Share).
  • Single sign-on: With a single login, various services and applications can be used, even at other institutions.
    Data protection: The user can view his personal data sent to a service provider in advance and cancel the transmission and service use if necessary.
  • Federation: Distributed authentication requires an even higher level of security, confidentiality and reliability of the systems than an institution-local solution. In Germany, universities and research institutions are therefore united in the DFN-AAI Federation. DFN organises and monitors the technical as well as the contractual requirements of the partners.

Shibboleth technology

Shibboleth comprises so-called Identity Providers (IdP) and Service Providers (SP). Identity providers are responsible for the authentication of users of the local institution. Messages about authentication (identity control, login) and relevant information for authorisation (access control) are sent via SAML (Security Assertion Markup Language) to the service provider on whose side the web application is running. If a user wants to enter such an application, he or she is usually directed to a WAYF service ("where are you from"), where he or she selects his or her home organisation and is redirected to it. The login is therefore carried out exclusively at the login mask of the home organisation (the local IdP), which represents a major security advance compared to conventional logins at each individual web application: Passwords no longer reach the web applications and the foreign systems running behind them. A thorough introduction to the concept and technology of Shibboleth is provided by the Shibboleth Wiki https://wiki.shibboleth.net/confluence/display/CONCEPT/Home.

Identity Providers for TUM, LMU and BAdW at LRZ

The LRZ operates the identity providers of TUM, LMU and BAdW. Identities are all active accounts from the TUM, LMU or LRZ directory services.

In order to obtain the full scope of authorisation (as an enrolled student, active employee, etc.) in the applications, users from TUM or LMU should note:


Select "Login mit TUM-Kennung" oder "Login mit LMU-Kennung" in the application (if available):In a selection field (maybe after clicking on "Shibboleth Login" or "Institutional Login") select your own univerity (and not "Leibniz-Rechenzentrum"):


Der Anmeldebildschirm des LMU Moodle

(Source: https://moodle.lmu.de/local/login)


Der Where-Are-You-From Dialog des DFN-AAI
(Source: https://wayf.aai.dfn.de/DFN-AAI/wayf)



Ein allgemeiner Where-Are-You-From Dialog eines Web-Dienstes
(Source: https://link.springer.com)