The Shibboleth software can be managed and configured to address a variety of different situations, of varying complexity. Typically, three distinct deployment phases can be identified. However, individual situations will vary, and there is no requirement that a campus follow a specific sequence. The phases are described in this sequence because the policy, business practice, and user support issues become broader and more complex in each of these phases. On the technical side, configuration files change. But, the software itself does not change and additional extensions are not required.

• Organizational Single Sign-on System
  Shibboleth can be used as a single sign-on system (SSO) for your campus web applications. For this option, an organization would install both the Identity Provider (IdP) and the Service Provider (SP) packages. Next steps include connecting the IdP to your campus authentication system (such as LDAP or Kerberos ) and the SP to the applications to be accessed. No attributes are released on- or off-campus with this option.
  
  
• Controlled Information Release
  In addition to providing single sign-on functionality, Shibboleth can release information to services for authorization decisions and control access to either campus-based or licensed resources. Working with your identity management systems, Shibboleth will release, according to your campus policies, the identity data that your service partners need to authorize actions or customize the user’s experience. This reduces the need for developers to access your enterprise directory and provides an alternat e way to supply fresh data, just-in-time. This can be implemented for both on- and off-site services and requires the identity provider software to be connected to the institutional identity store, such as an enterprise directory or database, for the information release.
  
  
• Federated Access
  This option enables an organization to use services offered by another organization . If an organization is interested in only accessing federated applications, the institution need only install the identity provider component. This option does require the controlled information release as described above. An organization needs to install the service provider package in order to offer services to others. This option relies on a federation that, on behalf of its members, stipulates the technology, process, and policy level to address issues with application, personal data, and other security risks. These federation requirements may impact an institution’s identity management architecture and processes, in particular.
  
  
• All of the Above
  An organization can also use Shibboleth as a web SSO, with controlled information release to access both on- and off- campus services.