

Ask HN: What's your opinion on Shibboleth? - LeafStorm

My university's IT department is currently working on deploying Shibboleth [1] on campus, to replace the old mix of LDAP, Kerberos, and a homebrew solution called WRAP, at least for Web applications. I have been doing a lot of research on Shibboleth, so I was wondering: What are your opinions on Shibboleth?<p>[1]: http://shibboleth.internet2.edu/
======
patio11
2nd hand opinion: ex-day job investigated using it for our universities.
Result of investigation was a resounding "inappropriate for our needs." They
cited a few reasons. One of them was "insufficient documentation in Japanese",
which is probably not an issue for you. Others were "poor UX" and "high
anticipated integration costs."

We ended up picking OpenID instead. If you've heard me talk about OpenID
before, "Shib: not quite as good as OpenID" is all you need to hear.

------
rgraham
I built a system around Shibboleth at a University several years ago. We did
some extra work to improve the UX. I'm not sure how installing Shibboleth
itself went, but from an API use perspective I can't complain.

OpenID might be a better choice these days. It was more dream than reality
when we picked Shib. If OpenID isn't an option...I'd vote for Shib over
cobbling something together yourself from AD.

------
intesar
We implemented Shibboleth at Cisco after reviwing CAS and other products,
remember it lacks Single Sign Out so you need to build this thing your self.
You may also want to checkout OpenSSO which is open source and free folked
from Oracle (Sun) Identify Manager

<http://java.net/projects/opensso/>

