View Poll Results: How familiar are you with Identity Federation/SSO?

Voters
7. This poll is closed
  • Never heard of it

    0 0%
  • Heard of it

    4 57.14%
  • Have considered it

    2 28.57%
  • Have used it

    1 14.29%
+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, Identity Federation/SSO - Comments, Suggestions and Experiences Wanted in Technical; Bit of backstory here, the NZ Ministry of Education (MoE) is looking into SSO for MoE resources as currently there ...
  1. #1

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,987
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764

    Question Identity Federation/SSO - Comments, Suggestions and Experiences Wanted

    Bit of backstory here, the NZ Ministry of Education (MoE) is looking into SSO for MoE resources as currently there is absolutly no unified structure meaning that the average principal requires around eight different usernames and passwords to access the basic set of online services. As you can imagine this amount of passwords with heavy password requirements takes quite a toll on the usability of the systems and to their credit they are looking at ways to improve.

    At the moment their plans (which are not set in stone) are to work with Google Apps or Live@Edu to get a SAML2.0 compatible identity service avalible for those schools that have it. This should mean a single logon for many MoE sites. The issue is that due to limited funds only one may be developed therby either forcing schools to a single provider to get SSO or isolating them if they want or need to use a different system.

    My view is that instead of forcing all schools onto a cloud based service that each school should have the option to federate directly from their own servers to the MoE ones if they choose. At first I was looking at AD Federation Services for the Windows side but apparently this does not work quite right with their existing SAML2.0 based services and they don't want to alter them. I have looked around and found a couple of promising opensource candidates that will interface with LDAP and provide compliant SAML federation.

    My questions are:

    Has anyone used Identity Federation in their schools/environments?

    Has anyone found or used any opensource Federation providers on Windows, Linux or OSX?

    Does any other country or provider offer such a federation service at the moment?

    Do you think that I am on the right track or should I just submit to the cloud?

    Any feedback would be appreciated.

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,618
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Have a look at Shibboleth. Shibboleth®

    Specifically:
    About Shibboleth® - FAQ on SAML and Shibboleth relationship
    Shibboleth® - Get Started

    This has been on the RealSoon (tm) radar in .uk for some time.

  3. Thanks to pete from:

    SYNACK (20th September 2010)

  4. #3
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    435
    Thank Post
    95
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    There were a lot of big words that confused me in the post above, so I hope this isn't completely off topic:

    We use Google Apps to provide our staff with Email/Docs/Talk/Calendars etc...
    I am currently setting up Directory Sync so our Active Directory sync's with our Google Apps accounts and then we use Google Apps as an OpenID provider for other services like Moodle/Joomla etc...

    So in theory it's only one username/password so long as the software uses OpenID?

  5. Thanks to Nick_Parker from:

    SYNACK (20th September 2010)

  6. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,987
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by pete View Post
    Have a look at Shibboleth. Shibboleth®

    This has been on the RealSoon (tm) radar in .uk for some time.
    Thanks, that was one of the promising candidates that I found and its interesting to hear that this has at least been considered in the UK also.

    Quote Originally Posted by Nick_Parker View Post
    There were a lot of big words that confused me in the post above, so I hope this isn't completely off topic:

    We use Google Apps to provide our staff with Email/Docs/Talk/Calendars etc...
    I am currently setting up Directory Sync so our Active Directory sync's with our Google Apps accounts and then we use Google Apps as an OpenID provider for other services like Moodle/Joomla etc...

    So in theory it's only one username/password so long as the software uses OpenID?
    Thats right, Google Apps offers a OpenID provider allowing you to use your uploaded account data to authenticate with other sources that allow for OpenID authentication. In the scenario above the MoE looks to be choosing to use the SAML protocol which is somewhat simmilar to OpenID. What they are proposing as far as I can tell is tying various MoE resources back to either Live@Edu or Google Apps and using these as a SAML provider (after further reading they apear to be commited to working with both). This way if you have a cloud service setup then you can use the one logon across many MoE sites (eventually).

    My issue with this is it effectivly mandates the use of these providers and allowing schools to endpoint their own authentication as well would be better overall.

    I am now thinking (thanks to what I have read) that if the MoE were able to provide a central trusted Confederated Identity server which could trust and proxy all of the school Federated Identity servers then this single core server could then be setup to be trusted by the various providers so the school would only have to setup a single trust link as opposed to many. Currently I have not actually found out if such a thing (confederated identity server) exists but I remain hopeful.

  7. #5

    Join Date
    Sep 2010
    Location
    Colorado
    Posts
    3
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi SYNACK,

    I was researching topics that involved SAML/Federated Identity/SSO and I ran across your posting. I would suggest checking out Ping Identity. They provide a SAML based secure internet single sign-on solutions for web applications. Let me know if you'd like more info. Thanks!

  8. #6

    Join Date
    Sep 2010
    Location
    Colorado
    Posts
    3
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Sorry, here's a link to the site. PingIdentity.

  9. Thanks to BKim from:

    SYNACK (28th September 2010)

  10. #7

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,921
    Thank Post
    1,332
    Thanked 1,773 Times in 1,100 Posts
    Blog Entries
    19
    Rep Power
    593
    Hi SYNACK

    Only just spotted this. Many National Education Network resources are Shibboleth enabled and a number of 3rd party content providers also have access Shibboleth enabled. Within EMBC we have access to Education City, Encyclopedia Brittanica and a number of other tools. Within the UK it is through the UK Access Management Federation which also has a list of those accredited to the service as application / service providers.

  11. Thanks to GrumbleDook from:

    SYNACK (28th September 2010)

  12. #8

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,987
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by GrumbleDook View Post
    Hi SYNACK

    Only just spotted this. Many National Education Network resources are Shibboleth enabled and a number of 3rd party content providers also have access Shibboleth enabled. Within EMBC we have access to Education City, Encyclopedia Brittanica and a number of other tools. Within the UK it is through the UK Access Management Federation which also has a list of those accredited to the service as application / service providers.
    Thanks GD, exactly the kind of thing that I was after

  13. #9

    Join Date
    Sep 2010
    Location
    Colorado
    Posts
    3
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    SYNACK - If you have time, I would like to speak with you further regarding your project and organization. Ping Identity currently works with the NZ Government and can provide some insight and references to their current Federation implementation. If you would like to get more details and further discuss the relationship between the NZ Government and Ping, please feel free to contact me to facilitate conversations. Thanks!

  14. #10

    Join Date
    Oct 2010
    Location
    New York
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Post edited due to unauthorised advertising. Please note that as per our AUP only forum sponsors may use the forums in a commercial capcity.
    Last edited by Dos_Box; 8th October 2010 at 02:58 PM.

  15. #11

    Join Date
    Nov 2010
    Location
    Kent
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    We've currently got and IDP in place and are testing with some service providers. We are also implementing a synthetic scope so that we can act as an IDP for other schools in the area. All very nice and works well but I think service providers are waiting to see if this takes off before jumping on the band wagon.

    I went to FAM10 in cardiff and there were only 4 service providers (1 of them did university content). Can anyone reccomend a good SP for content that is 'Shibbolised'. We've got J2e and Britannica on board. Tried MS Dreamspark but students still have to provide thier Windows Live ID (thus defeating the single sign on).

    Also has anyone used shibboleth for any other purpose than an IDP to get Single Sign on Access to a content provider.

SHARE:
+ Post New Thread

Similar Threads

  1. Suggestions wanted
    By localzuk in forum Hardware
    Replies: 22
    Last Post: 6th December 2010, 01:14 PM
  2. comments and suggestions needed
    By Phillip1983 in forum Thin Client and Virtual Machines
    Replies: 1
    Last Post: 13th January 2010, 12:14 AM
  3. Federation IT Manager
    By JanetBIard in forum Educational IT Jobs
    Replies: 6
    Last Post: 19th November 2009, 02:35 PM
  4. Federation and more responsibilities
    By localzuk in forum General Chat
    Replies: 8
    Last Post: 22nd May 2007, 07:35 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •