DRAFT - Under Construction - DRAFT
This is a report from the InCommon TAC's Alternative IdP Working Group. It describes alternative strategies for deploying an IdP in a variety of campus IT environments with the goal of providing solutions for institutions that do not have the expertise and resources to operate a Shibboleth IdP locally, the strategy most deployed within InCommon as of this writing.
The Working Group began its work by identifying a number of alternatives that can be effectively deployed today. These alternatives are:
- Shibboleth IdP (local) - Integrated with the local IdMS and operated locally, the baseline for comparison.
- ADFS IdP - Microsoft's SAML implementation for Active Directory, operated locally.
- SimpleSAMLphp IdP - An open source IdP written in PHP, integrated with the local IdMS and operated locally.
- Outsourced Shibboleth IdP - Shibboleth, integrated with the local IdMS and operated by a third party.
- Outsourced Vendor IdP - A non-Shibboleth SAML IdP, integrated with the local IdMS and operated by a third party, such as Ping Identity.
- CAS (local) with Outsourced IdP - A SAML IdP, either Shibboleth or vendor, integrated with the local IdMS and operated by a third party, that uses a local CAS deployment for authentication.
- Google Apps Gateway - An OIDC-to-SAML gateway, often operated by a third party, for institutions that make use of Google Apps for Education.
- Hub and Spoke (or Trusted Third Party) IdP - An IdP representing members of a well-defined group of institutions, such as a community college system or school district.
Fact finders were assigned to investigate each of these alternatives. See Alternative IdP Strategies and Assessment Criteria, which provides summaries of the alternatives' functional capabilities, effort and expertise required for deployment and operation, benefits, risks, and other pros and cons.
Applicability of the Strategies to Campus IT Environments
The following sections discuss the applicability of these strategies in multiple campus environments.
- AD centric
- Java capable
- CAS centric
- Prefer to outsource
The following are issues the institution must address independent of their IdP strategy
- Operating an IdMS