Description
Shibboleth, integrated with the local IdMS and operated by a third party.
Fact Finder
Mark Beadles, OARnet
Example Deployments
1. Shibboleth deployed on server(s) outside the institutional network ("in the cloud") and operated by a third party - Shibboleth in the Cloud
2. Shibboleth deployed on server(s) or appliance(s) within the institutional network and operated by a third party - Shibboleth in a Box
Support for the Recommended Technical Basics for IdPs, including the ability to consume metadata
As with Shibboleth (local).
Support for Attribute Release
As with Shibboleth (local).
Support for Entity Attributes/categories (e.g., R&S)
As with Shibboleth (local)
Support for Multiple Authentication Contexts for Multi-Factor Authentication and Assurance
As with Shibboleth (local), assuming that 1. the third-party operator supports/provides the Multi-Context Broker (https://spaces.at.internet2.edu/display/InCAssurance/Multi-Context+Broker), an extension to the Shibboleth IdP and 2. additional integration is performed between the third-party operated server(s) and the institution's authentication providers.
Support for ECP (Enhanced Client or Proxy)
As with Shibboleth (local), assuming that the third party operator has configured and enabled the SAML2 ECP profile (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableECP)
Support for User Consent
As with Shibboleth (local), assuming that the third party operator has configured and enabled an extension such as uApprove (https://www.switch.ch/aai/support/tools/uApprove.html) or equivalent.
Expertise Required
Expertise in Shibboleth, SAML, XML, Java are not required since these are outsourced to the operator. Institution still needs sufficient expertise to run their own IdMS infrastructure.
Resources Required
1. Shibboleth in the Cloud: the main resource requirement is financial, however the institution will need to provide personnel time for integration and testing with the third-party server.
2. Shibboleth in a Box: in addition to requirements for 1, institution will need to provide data center space and potentially server platform for use by the third-party provider.
Upkeep and Feeding Required
Upkeep and feeding of the IdP proper are handled by the third-party operator, however the institution will need to monitor, patch, maintain the IdMS infrastructure.
Applicable Environments
Since the operations are outsourced, this model can work with nearly any environment.
Benefits
Most or all of the benefits of Shibboleth - local, but without the requirement to install, operate, maintain, or have operational expertise in Shibboleth.