Survey Results

Respondents

Colleges & Universities

Carnegie Classification	# of Institutions
Associate's Colleges: High Career & Technical-High Nontraditional	1
Associate's Colleges: Mixed Transfer/Career & Technical-High Nontraditional	1
Baccalaureate Colleges: Arts & Sciences Focus	17
Baccalaureate Colleges: Diverse Fields	2
Baccalaureate/Associate's Colleges: Associate's Dominant	3
Baccalaureate/Associate's Colleges: Mixed Baccalaureate/Associate's	1
Doctoral Universities: High Research Activity	10
Doctoral Universities: Very High Research Activity	14
Doctoral/Professional Universities	6
Master's Colleges & Universities: Larger Programs	8
Master's Colleges & Universities: Medium Programs	2
Special Focus Four-Year: Arts, Music & Design Schools	1
Special Focus Four-Year: Business & Management Schools	1
Special Focus Four-Year: Medical Schools & Centers	1
Special Focus Four-Year: Other Health Professions Schools	1

Other Respondents (Not a College or University)

InCommon Participant Type	Count
Higher Education Institution (District)	1
Research Organization	1
Sponsored Partner	3

FTE Working in Identity and Access Management (IAM)

Count	IAM staff measured as FTE*
12	<1 FTE
28	1-3 FTE
7	4-7 FTE
0	8-11 FTE
1	12+ FTE

* Numbers do not include answers over 50 people or answers where only only name was given. This question seemed to be worded in a confusing way

Products Used for Single Sign On (SSO)

SSO Product	# Mentions
Shibboleth	34
Azure Active Directory, ADFS	14
CAS	9
Okta	4
Google SAML	3
LDAP	2
Fischer	2
WSO2	2
OneLogin (SAML)	2
SimpleSAMLphp	1
Ethos	1
Acceptto	1
Portal Guard	1
ForgeRockOpenAM	1
SecureAuth	1
Gluu	1
IdentityNow	1

Federation participation

Does your institution have an IdP in InCommon or another EduGAIN federation?

Number	Has IdP in a federation?
40 (65.57%)	Yes, we have an IdP in InCommon or other eduGAIN federation
17 (27.87%)	No, we do not have an IdP in InCommon or another eduGAIN federation
4 (6.56%)	I'm not sure

Interest in federation for those participating or not sure

Of 21 respondents who did not have an IdP in InCommon (or another eduGAIN federation), 1 institution (classification: Associate's Colleges: Mixed Transfer/Career & Technical-High Nontraditional) was not interested in joining a federation. The other 20 were split 50/50 on "yes" and "maybe" when asked if interested in joining an eduGAIN federation.

Factors preventing participation in federation

Free text answers explaining why an institution had not yet joined an eduGAIN federation fell into three categories:

Lack of FTE to support participation in federation (5 comments)
Lack of interest in prioritizing federation (3 comments)
Lack of technical support (2 comments)

Institutional interest in cloud services

How committed is your institution to developing cloud-first infrastructure?

Count	Answer
1 (1.64%)	Not interested in cloud
4 (6.56%)	Prefer on-prem
10 (16.39%)	Neutral
23 (37.70%)	Prefer cloud
16 (26.23%)	Very committed to cloud
7 (11.48)	Prefer hybrid cloud

Desired features for IdPaaS product

Multi-factor Authentication (MFA)

Count	Integration Option
36 (62%)	Duo
13 (22.41%)	I would want an IdPaaS to support MFA/2FA natively
9 (15.52%)	Other (free text responses for Microsoft/Azure MFA, Okta Verify, SMS, Voice
0 (0%)	MFA is not a priority at my institution

Other Features

Points	Requested Feature
56	Institutional Branding
55	Ability to integrate with non-InCommon vendors
54	Site-specific attribute release
50	Site-specific MFA
47	Support for eduroam/Radius as a service
45	ECP
45	Password Reset
43	Consent

Where would you see IdPaaS as fitting into your institution's IAM portfolio?

Count	Option
29 (47.54%)	As a supplemental SSO option to allow my institution to access external (federated) resources
21 (34.43%)	As a replacement for primary single sign-on (SSO) mechanism
8 (13.11%)	Other (see below)
3 (4.92%)	I can’t see IdPaaS fitting into our infrastructure (please tell us why)

(Selected "Other") - Please explain

Multiple respondents indicated that they may start with IdPaaS as a supplemental option and eventually promote it to a primary option if they liked it. One respondent would be interested in using IdPaaS for guest account authentication. Others indicated needing more information to evaluate, but expressed interest if IdPaaS would cut down on overhead/staffing demands.

(Selected "I can't see IdPaaS fitting into our infrastructure") - Please tell us why:

All who did not see their institution running an IdPaaS product are happy running their own SSO infrastructure, either on prem or in the cloud.

Incentives and reservations

What other features could an IdPaaS provide that would make this approach attractive to your institution? What reservations would you have about deploying an IdPaaS solution?

Highly Mentioned
Resiliency/High Availability Including concerns about dependency on the internet. Many mentions of 100% uptime.
Cost
Easy SP integration
Flexibility Concerns about loss of control as a result of committing to an IdPaaS product.
System/Protocol Integrations CAS, OIDC AWS, Azure, "ERP"
Security of system
SIEM/Logging

Multiple Mentions
Delegated administration
Adaptive policy controls
Metadata MDQ, InCommon
Social to SAML Including account linking and registration
Privacy
Reporting Including security events and troubleshooting tools
Attractive licensing terms Concerns about costs not scaling well with user populations including alumni, parents, etc., demonstrating value proposition to leadership when current expenditures on IdP support already low, contract that will meet state procurement requirements
Friendly admin UI
Staffing requirements
Support Including for SP integrations
Standards & Interoperability

Also Mentioned
Governance Administration
Certificates
Ease of deployment
API access to IdP
External attribute source
Proxy for SPs that can't support multilateral federation

Source materials

Page tree