General guidance for new admin

Mike Nielsen mnielsen894 at
Mon May 15 10:34:07 EDT 2017

Thank you, Scott for taking the time to help.

I appreciate your kind direction.

On Mon, May 15, 2017 at 9:37 AM, Cantor, Scott <cantor.2 at> wrote:

> On 5/13/17, 4:14 PM, "users on behalf of Mike Nielsen" <
> users-bounces at on behalf of mnielsen894 at> wrote:
> >
> > I'm starting to get the impression that we're putting a square peg into
> a round hole -- Shibboleth may not be the right tool for
> > what we want to do.
> No, what I'm saying is this stuff is incredibly complex and you won't find
> a simple recipe that solves your problems.
> > That's not particularly comforting to a poor schlub like me (in the
> corporate world) who kind of "inherited" this, especially in view
> > of my management's apparent expectation is that it's not at all
> complex.  That's certainly not my reading so far.
> It's not complex when you know it, it's very complex when you don't. Like
> every technology in the world.
> > I'm not sure whether any of our corporate partners might support
> Shibboleth's approach to SAML -- however that may differ
> > from any other approach (I'm not saying it doesn't differ, but I'm new
> to all this, and so don't really know).
> I'm not talking about differences that impact whether things work or
> impact compatibility, I'm talking about the approach to solving problems
> and to some degree about the design decisions that the SP is based on, not
> all of which are well suited to what vendors do in siloing their systems
> and not truly federating them. Shibboleth is designed to make it possibly
> to handle many IdPs, whereas you want to handle a small number of them,
> each likely locked down to a specific instance of your application.
> > Am I wrong in interpreting your comment to mean that Shibboleth is not
> really appropriate for corporate use?
> No, I'm really saying the typical corporate approach to SAML is flawed,
> has poor security and operational characteristics, and tends to exhibit a
> range of IAM mistakes, one of which you mentioned (using email addresses as
> identifiers).
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list