Despite it's capabilities, there are a surprising number of things that Shibboleth itself doesn't specify:
It doesn't specify how users are actually authenticated – in practice existing systems, such as Raven, are normally reused
It doesn't say how authorisation decisions should be taken or implemented
It doesn't even define how information needed for authorisation should be represented
It doesn't provide any guidance on how its authentication or authorisation services should or could be added to web applications
BUT it does provide a framework for binding together existing implementations of all these into something that proves to be useful.