On Thu, 13 Oct 2005, Rhys Smith wrote:
> I'm aware that shib will work with pretty much any SSO solution we could
> throw at it - the more specific question I have is whether any SSO
> product vendors have specifically announced details of their SSO product
> being shib-enabled/compliant (in the same way that, for example,
> Novell's i-Chain is officially "liberty-compliant")? Does anyone think
> it's worth their while to do that?
One question is whether there is any process for a product to become
"officially Shibboleth compliant". At the moment there is not, and there
is not likely to be any time soon, since a compliance program involves
lots of work, and usually also involves exchanges of money, considerations
of liability, contracts, marketing programs, etc. Given this, claims of
compatibility at this point have to be evaluated by people interested in
deploying the products. Presumably the products that claim this now are
indicating some commitment to fix any compatibility issues that come up.
I think that BMC Software has done some testing of their SSO product with
Shib in response to a customer request and has made it work, though you'd
have to ask them for details.
We have also been approached by some other commercial vendors asking about
compliance. Those discussions are just starting (so I won't mention
names), but it's clear that they are responding to the interest some of
their (potential) customers have in deploying systems that are
Shib-compatible. So, if you have vendors in mind, ask them. You won't be
the first to do so.
But this is why it's so important for a product like Shib to focus on
standards compliance, since we're not a big commercial company that can
afford a product-specific compliance program. On the wire, Shib 1.3 is
approximately vanilla SAML 1.1, where this approximation is close enough
that it was able to interop with several commercial vendor
implementations, using SAML 1.1, in a demo setting at the Burton Group
Catalyst event in July. So it's pretty likely that if you had any SAML
1.1-supporting SSO product, you could get Shib to interop with it, in
either direction. It's also likely it would take some configuration work
to achieve this.
Also let me mention that Shib 1.3, with a plugin for this purpose, has
been demonstrated to interop with a large set of vendor products (pretty
much the same ones as were in the demo above) using the US Federal
E-Authentication profile. Shib doesn't yet appear on their "Approved
Technology" list
(http://cio.gov/eauthentication/documents/ApprovedProviders.htm) but I'm
assured this is just waiting for them to get around to updating the page
...
> As for the enterprise portal product question, i'm specifically talking
> about Enterprise Portals (with a capital E and P!) (e.g. Websphere
> Portal, Plumtree Portal, Oracle's product, Microsoft SharePoint Portal,
> etc), rather than specific portals. It looks like we're going to set up
> an enterprise portal here in the near future, and we're wondering if any
> of these Enterprise Portals have been, or are going to be, shib-enabled
> - we could potentially want our Enterprise Portal to be a shib-SP so
> that remote users could use our portal through shib credentials. Does
> anyone know if any of these 3rd party Enterprise Portal vendors have
> announced, or are going to announce, shib compatibility?
To the extent that the portal is just another web-based application, then
generally either they will work with externalized authentication, and
hence would work with any of the zillion open-source and vendor SSO
systems; or they don't (in which case you might wonder how flexible it
would be to meet your other needs). I haven't heard about either
successes or failures with these products.
As Tom said, when people think about portals and authentication, they
often ask with the authentication system can help with accessing backend
applications that are fronted by the portal. This is complex and very
site-dependent. The Shib team is working on designs for using SAML for
this purpose, as we think people are interested in this and that SAML
would do a good job, but delivering product to do this is a ways off.
- RL "Bob"
|