shibboleth vs those "other" idps

Rob Gorrell rwgorrel at
Thu May 14 16:21:16 EDT 2015

> Any examples? I'd be curious

Sure. David already touched on a prominent one, Banner. Like I'm sure as is
the case at many schools who use Banner, if there is one application that
is likely to get what it wants, its Banner. And because Ellucian decided to
take the stance of offering SAML support with Banner XE by creating their
own IdP called Ellucian Identity Services (taken from WSO2) as a means of
translating SAML to CAS rather than support SAML directly in their apps,
many here are convinced we must deploy EIS (either as an island or as a
hybrid with shibb) in order to do effective SSO. Certainly having native
CAS support in IdP v3 helps my argument and I understand Ellucain claims
they will eventually had native SAML support to their apps, but in the
meantime, as David put it, "a lot of oxygen is being sucked up" as a result.

The other one is Office 365 and Azure AD. We are one of those schools that
tried to draw a bit of a hard line with O365... we weren't going to sync
passwords and we weren't going to stand up an ADFS environment, so we went
the way of SAML integration and learned quickly while this was great for
the web apps, without support for WS-fed active authentication, many other
features simply wouldn't work with SAML (like the ability to activate all
that free software Microsoft is giving away to our students). So again,
much oxygen was sucked up as we continued to hold the hard line. More
recently, it looks like things will get much better as Modern
Authentication for O365 is released and brings us the parity we could have
had all along with ADFS. But now, a new problem emerges, Microsoft having
forced us to populate Azure AD in order to use O365 and Azure AD itself is
touted as a cloud IdP with the ability to connect countless SaaS across
multiple protocols... now with those pretty GUI's Scott was talking about,
even services that support SAML are enticed by the MS marketing beast and
want to peer against Azure AD since its there, pretty and shiny and I find
the need to use considerable oxygen once more on why we shouldn't do a
hybrid deployment or replace shibb with Azure AD.


Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list