shibboleth vs those "other" idps

Kirk Turner-Rustin ktrustin at owu.edu
Fri May 15 10:04:53 EDT 2015 

On Thu, 14 May 2015, IAM David Bantz wrote:

> I hope it goes without saying, but just in case:
> I'm convinced, on board, and proselytizing for Shibboleth;
> I really appreciate Scott's points.  I'm looking for reasons
> and stories that may be more persuasive to the skeptics
> and "brand-loyalty" I encounter.  "Brand loyalty" includes
> the Ellucian/Banner tilt mentioned, Google whatever, existing
> CAS deployment, as well as in-house developed one-offs.
>
> David Bantz

Caveat lector: This is my first post.

We're an 1800 or so FTE liberal arts university with an infinitesimal 
IT staff (smallest of our peer institutions in the GLCA and most of 
those of similar size in CLAC). Two days ago, we went live with a 
Shibboleth v3 IdP and two SPs, one ADFS SP for Ellucian PowerCAMPUS 
Self-Service (we host the ADFS instance) and one OpenAM SP hosted by 
an off-site vendor. We've also configured and tested Ellucian Portal + 
ADFS against our IdP, to go live this summer, as well as a Shibboleth 
SP. I did all of the Shibboleth setup, and one of my colleagues
did the ADFS work.

The biggest problem we had by far was working with Ellucian to get 
their Self-Service and Portal products to authenticate correctly with 
their recommended SP software (ADFS). The number of errors in their 
applicable documentation and the lack of responsiveness from Ellucian 
support were frustrating, to put it mildly. My colleague (also new to 
federation and SAML) used a lot of debug logging, trial and error, and 
writing his own documentation to finally get ADFS and the Ellucian 
products to work together.

The second biggest problem has been getting the OpenAM off-site 
vendor's SP to work with our IdP. In between typing this, I'm writing 
to the vendor, explaining over and over again that they are breaking 
the user's SSO context by sending the ForceAuthn="True" attribute in 
their SAML request. I've been telling them this since yesterday, and 
have just cited page and line number from the OASIS SAML 2 protocol 
doc.

We've only just started, but so far, in general, everything that we've 
had complete control over in-house via access to source code, config 
files, etc. has gone well, even with the steep learning curve (I 
started work on implementing IdP v3 in mid-February, knowing nothing 
about federation, SAML, etc. and juggling other big projects at the 
same time, and I'm far from expert now). Everything that has relied on 
support from third-party commercial vendors has been painful at best.

BTW, thank you, Scott and team for scripted attributes!

Cheers,
Kirk

-- 
   Kirk Turner-Rustin SCJP  | Senior Systems Analyst
   Ohio Wesleyan University | Information Services
   http://www.owu.edu       | http://infoserv.owu.edu

More information about the users mailing list