Hi Richard,
We have setup something similar to what Glenn has mentioned in regards to
combining Shibboleth & ADFS for quite a few of our clients. With more and
more Shibboleth organisations starting to use Microsoft’s “Active Directory
Federation Services”, there becomes a need to seamlessly logon to both
Shibboleth and ADFS resources. ADFS resources such as SharePoint, Office
365 and Exchange (to name a few), need to work alongside the more
traditional Shibboleth resources like Learning Management Systems (such as
BlackBoard/Moodle), Library systems (Heritage) and many online e-resources.
Using these systems users find that they need to logon to ADFS and
Shibboleth separately causing multiple logins thus preventing a true Single
Sin On (SSO) environment (this is against our ethos of True SSO). The ADFS
/ Shibboleth bridge simultaneously logs the user into both ADFS &
Shibboleth (by protecting the Shibboleth login with ADFS). This means that
when a user accesses an ADFS or Shibboleth resource they can seamlessly
move between both platforms without the arduous task of logging in multiple
times. We opted to protect the Shibboleth login with ADFS as we find in
most circumstances that users have deployed a load balanced setup of ADFS
already. As Glenn mentioned when trying to use purely ADFS as the IdP for
federated resources on the UK Federation it becomes a much harder task
maintaining the metadata and you also lose the ability to use raptor and
other shibboleth statistical tools.
If you would like to have a chat with a couple of clients that have
integrated the solution please let us know and we would love to put you in
contact with them.
Thanks
Kind Regards
Graham
On 19 October 2016 at 15:19, Glenn Wearen <[log in to unmask]> wrote:
> Hi
>
> I've been involved in three such deployments albeit not for UK
> institutions. We used FEMMA to do this, It's a bit 'clunky' but works with
> these caveats
>
> * It does not work with SAML1 Service Providers (some publishers still
> support SAML1 only!)
> * It does not work with Service Providers with non-https URLs (all
> publishers use https so not really an issue)
> * It's take 80 minutes to refresh metadata if your metadata includes
> eduGAIN entities (the default in the UK AMF). I'd recommend not
> using the internal Windows database as the ADFS store.
> * It doesn't work with Raptor if you have used that for Shibb stats
>
> On the upside, it allows an institution who needs ADFS (e.g. who have no
> Unix people on their teams or have services that can only work with AFS),
> to have a single system for Single-Sign-On.
>
> There was another option which we do not test; protecting ADFS with
> Shibboleth, this gives you the best of ADFS and best of Shibboleth combined.
>
> Kind Regards
>
> Glenn Wearen
>
>
>
>
>
> On 19/10/2016 10:59, Richard Taylor wrote:
>
>> Hello
>>
>> Is there any institution out there who has successfully deployed - or
>> considered & rejected - a souped up configuration of Microsoft ADFS that
>> provides Shibboleth / SAML2 functionality?
>>
>> I'd be very interested if anyone could share their opinion of well such an
>> arrangement would work, specifically from a Library perspective.
>>
>> For example, how easy would it be to set up authentication with database
>> publishers and maintain things like granular access rules for e-resource
>> licences?
>>
>> Thanks
>> Richard
>>
>>
>> *Richard Taylor*
>>
>> *Deputy Director of Library Services (Digital & Research)Bath Spa
>> University*
>> T: +44 (0)1225 875476
>> Visit www.bathspa.ac.uk
>>
>> Join us on: Facebook <http://www.facebook.com/bath.spa.university> |
>> Twitter
>> <https://twitter.com/#!/BathSpaUni> | YouTube
>> <http://www.youtube.com/BathSpaUniversity> | LinkedIn
>> <http://www.linkedin.com/company/bath-spa-university>
>> Newton Park Library, Newton St Loe, Bath, BA2 9BN
>>
>> *Think before you print*
>>
>>
>>
>> *Disclaimer*
>>
>> If you have received this message in error, please notify us and remove it
>> from your system. Any views or opinions expressed in personal emails are
>> solely those of the author and do not necessarily represent those of Bath
>> Spa University. Neither Bath Spa University nor the sender accepts any
>> responsibility for viruses and it is your responsibility to scan this
>> email
>> and any attachments for viruses.
>>
>> lis-e-resources is a UKSG list - http://www.uksg.org
>> UKSG groups also available on Facebook and LinkedIn
>> Follow us on Twitter: https://twitter.com/UKSG
>>
>
>
> lis-e-resources is a UKSG list - http://www.uksg.org
> UKSG groups also available on Facebook and LinkedIn
> Follow us on Twitter: https://twitter.com/UKSG
>
--
Graham Mason CEO
Overt Software Solutions
m: 07817933669 t: 0330 2000 141
www.overtsoftware.com Skype graham.overtsoftware
lis-e-resources is a UKSG list - http://www.uksg.org
UKSG groups also available on Facebook and LinkedIn
Follow us on Twitter: https://twitter.com/UKSG
|