shibboleth vs those "other" idps
jdennis at redhat.com
Thu May 14 15:20:45 EDT 2015
On 05/14/2015 02:37 PM, Bryan Wooten wrote:
> Ok, my cents.
> Given SAML is a known standard and most SaaS vendors (SPs) support
> SAML more or less correctly, I think it is in a school's best
> interest is host its own IDP using Shib.
> Hosted SAML IDP (Ping, Okta, Gluu) is not inexpensive, but having in
> house Shib expertise is not free either.
> Having said that, schools will always need in house talent to
> control, monitor, test, integrate SPs with the IDP (whether Shib or
> And here is the important part. Out sourced vendors are in no
> position to support ECP, MCB, Fedushare, LOA (Silver), etc. needed in
> a research / academic world.
> One last thing. The support from Open Source Community surrounding
> Shib (and CAS) is at least equal to or superior to any commercial
> support contract.
I couldn't agree more with the observation that Open Source provides
tremendous benefit over proprietary solutions. Not only are proprietary
solutions expensive but if you've ever tried to get bug fixed, feature
added, or simply a coherent answer to a support question by a
proprietary vendor you'll be familiar with the frustration. Of course
then there is vendor lock-in to contend with. I'm not saying Open Source
is perfect, but it tends to work better and be more responsive. For
example consider all the fabulous information shared daily on this list.
Do you think you would get that from a proprietary vendor?
Shibboleth is the defacto standard for an open source implementation of
SAML and has an excellent history. I'll just add it's not the only open
source IdP option if happen to be looking for choice. Ipsilon
(https://fedorahosted.org/ipsilon/) is another option (also supports
authentication protocols other than SAML2).
More information about the users