Nigel Bruce wrote:
> We decided about 12 months ago to move away from using AthensIM but
> we've been waiting for Version 2 of Shibboleth to appear. This seems to
> have been imminent for some time :-) Our thinking was that we didn't
> want to to do two moves (AthensIM ---> Internet2 1.2/1.3 implementation
> --> Internet2 version 2.0) when we could get away with one. Do you
> think we should stop waiting for 2.0 and move to 1.3? Do you have any
> inside information? If we have to abandon AthensIM now, we will?
I'll answer this a bit more generally for the list's benefit.
Both Shibboleth 2.0 SP and IdP are at the "release candidate" stage now,
which is to say they are feature-complete and fairly close to debugged.
The list of things to be fixed before final release is apparently down
to a handful, so we really don't have long to wait now.
On the SP side (I know you didn't ask about that) unless you are using
any of the new features (like SAML 2.0), the 2.0 SP is pretty much a
drop-in replacement for the 1.3 one. In particular, the configuration
of the SP hasn't changed very much since 1.3 and Scott is putting
together a basic conversion script. I'd therefore expect the 2.0 SP to
be adopted fairly quickly once it is formally released. I don't expect
everyone currently using the 1.3 SP to rush to upgrade, but my gut
feeling is that it is likely to become the dominant platform for new
deployments fairly quickly. The 2.0 SP interworks seamlessly with both
1.3 and 2.0 IdPs, so why wouldn't one go that way?
The configuration of the 2.0 IdP is quite different to its 1.3
equivalent, even when you're not using the new features. That's not a
criticism, by the way, just an observation. It may mean, though, that
people currently using the 1.3 IdP will hang on to it for quite a while,
only upgrading when they find they need the features in 2.0 that haven't
been back-ported. In most cases, that will be SAML 2.0 support or
support for storage-backed eduPersonTargetedIDs.
Of course, SAML 2.0 support is a sufficiently big new thing that it is
like that old saw about videophones (before such things existed): it
doesn't do you much good to be the first kid on the block with a
videophone, but once some threshold has been passed then everyone will
look at you funny if you don't have one. It is really hard to guess
when that tipping point will come for SAML 2.0 (or for videophones!),
but the implication is that although deploying something based on the
Shibboleth 1.3 generation of software does mean you'll want to upgrade
again at some time in the future, it probably doesn't mean you'll be
forced to upgrade again very soon. I personally expect the 1.3
generation and 2.0 generation of software to co-exist for some time, in
other words.
Obviously I've studiously avoided trying to give you actual advice here
;-) but at this point, I really do think don't you could be criticised
for either going for a 1.3 IdP deployment (everyone understands how to
do that, so lots of support available) or a 2.0 IdP deployment (lots of
street cred for being an early adopter plus less need to upgrade again
later *but* far less peer support available today). Which way you go
depends on which of those things are most important to you.
-- Ian
|