Identity Federation/SSO - Comments, Suggestions and Experiences Wanted
Bit of backstory here, the NZ Ministry of Education (MoE) is looking into SSO for MoE resources as currently there is absolutly no unified structure meaning that the average principal requires around eight different usernames and passwords to access the basic set of online services. As you can imagine this amount of passwords with heavy password requirements takes quite a toll on the usability of the systems and to their credit they are looking at ways to improve.
At the moment their plans (which are not set in stone) are to work with Google Apps or Live@Edu to get a SAML2.0 compatible identity service avalible for those schools that have it. This should mean a single logon for many MoE sites. The issue is that due to limited funds only one may be developed therby either forcing schools to a single provider to get SSO or isolating them if they want or need to use a different system.
My view is that instead of forcing all schools onto a cloud based service that each school should have the option to federate directly from their own servers to the MoE ones if they choose. At first I was looking at AD Federation Services for the Windows side but apparently this does not work quite right with their existing SAML2.0 based services and they don't want to alter them. I have looked around and found a couple of promising opensource candidates that will interface with LDAP and provide compliant SAML federation.
My questions are:
Has anyone used Identity Federation in their schools/environments?
Has anyone found or used any opensource Federation providers on Windows, Linux or OSX?
Does any other country or provider offer such a federation service at the moment?
Do you think that I am on the right track or should I just submit to the cloud?
Any feedback would be appreciated.