shibboleth vs those "other" idps

Cantor, Scott cantor.2 at
Thu May 14 16:49:44 EDT 2015

On 5/14/15, 4:21 PM, "Rob Gorrell" <rwgorrel at> wrote:

>Certainly having native CAS support in IdP v3 helps my argument and I understand Ellucain claims they will eventually had native SAML support to their apps, but in the meantime, as David put it, "a lot of oxygen is being sucked up" as a result.

Ok, well, since we added CAS support thanks to Marvin, not sure what else I can say to that specific case. Should it have been sooner? Yes, but the design just wasn't there to handle it cleanly, nor was there a resource to help do it.

>So again, much oxygen was sucked up as we continued to hold the hard line. More recently, it looks like things will get much better as Modern Authentication for O365 is released and brings us the parity we could have had all along with ADFS.

Right, so what we did was not waste everybody's money supporting a dead protocol. Smart, I'd say. We saved thousands of dollars in work, and that's community money. Am I taking credit for that? You bet, because I was right. We were also right about OpenID 1 and OpenID 2. We don't get a lot of credit for recognizing when things are a dead end, even though we've been largely correct.

> But now, a new problem emerges, Microsoft having forced us to populate Azure AD in order to use O365 and Azure AD itself is touted as a cloud IdP with the ability to connect countless SaaS across multiple protocols... now with those pretty GUI's Scott was talking about, even services that support SAML are enticed by the MS marketing beast and want to peer against Azure AD since its there, pretty and shiny and I find the need to use considerable oxygen once more on why we shouldn't do a hybrid deployment or replace shibb with Azure AD.

There's really nothing I can say to that, perhaps they'll come up with their second product ever that I didn't think was terrible (I love SQL Server, more than is right and proper for a man to love a piece of software).

In any case, what I expected to hear was OIC, but Google notably excepted that is not a near term limitation to cloud adoption with Shibboleth as the IdP. I'm not saying it won't be though, assuming the OIC trust model evolves.

-- Scott

More information about the users mailing list