Description
An IdP run on a locally-supported platform with vendor support for the installation, configuration, and operation of the IdP itself. In this assessment, we will assume the IdP software is Shibboleth.
Fact Finder
David Walker
Mike Grady
Example Deployments
The University of California Hastings College of the Law (http://www.uchastings.edu) has a Shib IdP that was installed and configured by Unicon on Hastings-managed servers, and the IdP continues to be managed by Unicon on behalf of UC Hastings. More common to date are institutions hiring vendors such as Unicon to install and configure the IdP initially, but then the campus primarily manages it after that, often with a support contract to get vendor help as needed. Servers can be within the institution, or in cloud infrastructure such as AWS or Azure.
Support for the Recommended Technical Basics for IdPs, including the ability to consume metadata
The Shibboleth IdP can be configured to support all recommended technical basics.
Support for Attribute Release
Shibboleth can be configured to release any attributes supported by the IdMS. Attribute filter policies are set on the IdP to release attribute values and done so in a privacy-preserving way.
Support for Entity Attributes/categories (e.g., R&S)
The IdP software supports the release of entity attribute bundles in fixed or dynamic subsets to all SPs or R&S SPs.The benefit of supporting attribute bundles is the decreased administrative overhead. An attribute is configured for the entity category.
Support for Multiple Authentication Contexts for Multi-Factor Authentication and Assurance
Identity assurance. The Multi-Context Broker, an extension to the Shibboleth IdP, supports multiple assurance profiles.
Support for ECP (Enhanced Client or Proxy)
ECP is a SAML authentication profile for non-browser clients. There is a Java client which is a wrapper around the Apache HTTPClient that provides Shibboleth support.
https://github.com/reckart/shib-http-client
Support for User Consent
User attribute release consent. Technology exists via an extension for Shibboleth IdPs, uApprove, to implement attribute release consent. It also handles Terms of Use.
https://www.switch.ch/aai/support/tools/uApprove.html
There is also current work on a privacy manager through the NSTIC-sponsored Scalable Privacy Project.
Expertise Required
Expertise in the installation, configuration, and operation of the hardware and operating system are required. Specific expertise in Shibboleth, however, is provided by the vendro.
Resources Required
Hardware resources that must be allocated are dependent on load, but are generally low. Shibboleth requires a Java servlet container, such as Jetty, which could be provided by the vendor.
Upkeep and Feeding Required
The hardware and operating must be maintained. Upkeep of the IdP itself, and probably the Java servlet container would be the responsibility of the vendor.
Applicable Environments
Shibboleth is highly adaptable to arbitrary environments.
Pros / Benefits
Shibboleth is the mainstream SAML implementation. It is used in the vast majority of federation deployments, and new developments in the use of SAML are usually built for Shibboleth first. Outsourcing support can facilitate quick deployment of the IdP. The outsourced support can be utilized for the long term, or support can be phased over to the institution over time.