Category Archives: Gluu

SAML SSO with Shibboleth

Original Source – SAML SSO with Shibboleth


Federated Identity and OpenID Connect: Why Higher Ed Needs OX

Access to premium content is now one of the greatest value-adds universities can offer students, faculty and staff. Through the use of federated identity with open standards like SAML, universities can enable their university-issued credentials to provide access to valuable third-party content, like email and course material.

However, the majority of U.S. universities either have no federation implementation, or a very limited deployment. To compound this problem, due to the complexity of configuration, very few websites support SAML — the leading federation standard on the Internet today.

In the time that SAML adoption has not happened, Google and other consumer IDPs have become indispensable to people for mobile and web access management.

SAML came out before the invention of the iPhone. Since then, the infrastructure of the web has shifted to accommodate advances in technology, and developer feedback is clear: they don’t want to integrate SAML in their applications.

There are many indicators that something is wrong with SAML adoption. Moderate success is not good enough. An infrastructure service like authentication needs to have ubiquitous adoption in order to make a significant impact. For example, the Internet wouldn’t work as well if we had to support IPX and Banyan Vines at the same time.

While Shibboleth is currently the most popular open source SAML software in use by higher education, Shib 3 is not the answer…the way forward is OX!

Shib 3 only gets you improved SAML. OX enables the institution to support next-gen OAuth2 authn / authz and federation. The recently finalized OAuth 2.0 profile for authentication, OpenID Connect, fills the need for a simple yet flexible and secure identity protocol, and also lets organizations leverage their existing OAuth 2.0 investments.

Gluu has a very simple migration plan from Shibboleth 2: using our LoginHandler, a person is able to get both a SAML and OpenID Connect session. Despite a head start of years, MSFT will probably very soon have more SAML IDPs than Shibboleth, and MSFT are on track to deliver their OpenID Connect server before Shibboleth. However, proprietary software and its expensive licenses are not as appealing to budget-conscious universities as it is to large enterprises.

OX provides a competitive value proposition, while maintaining a flexible open source license. Before we convert the last 90% of universities to the wrong protocol (SAML) and proprietary software, maybe its time to at least have a conversation if that’s the right thing to do.