The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity-based authentication and authorization (or access control) infrastructure based on Security Assertion Markup Language (SAML).

This allows for cross-domain single sign-on and removes the need for content providers to maintain usernames and passwords.

The Shibboleth project was started in 2000 to facilitate the sharing of resources between organizations with incompatible authentication and authorization infrastructures.

In the canonical use case: Shibboleth supports a number of variations on this base case, including portal-style flows whereby the IdP mints an unsolicited assertion to be delivered in the initial access to the SP, and lazy session initiation, which allows an application to trigger content protection through a method of its choice as required.

The IdP in Shibboleth 2.0 has to do additional processing in order to support passive and forced authentication requests in SAML 2.0.

Shibboleth's access control is performed by matching attributes supplied by IdPs against rules defined by SPs.

An attribute is any piece of information about a user, such as "member of this community", "Alice Smith", or "licensed under contract A".

Trust between domains is implemented using public key cryptography (often simply TLS server certificates) and metadata that describes providers.

Federations are often used to simplify these relationships by aggregating large numbers of providers that agree to use common rules and contracts.

[citation needed] Federations have been formed in many countries around the world to build trust structures for the exchange of information using SAML and Shibboleth software.