David Bantz posted an interesting email Please, somebody talk me down! on the Shibboleth users list, pointing to four issues that crop up over and over again with SSO in higher education:

  • Even if a vendor claim to support SAML, they are unable to consume attributes. And the provisioning of attributes include both sensitive, restricted and open information.
  • Proprietary extensions are used for too many of our solutions
  • Credential relays, operated by non-trusted third party (or SP). Preferably combined with non-maintenance of SP software?
  • Why not just use AD? Believing that using AD will automagically  integrate all services.
The scary summary is that we as a community are not providing enough direction when it comes to SSO solutions.
For some of these issues (why AD does not solve all problems, credential relays) we need to explain the issues in a language that may be understood, or even better, put into calls for tender. For other issues there are unsolved technical problems, like the integration of web-SSO and non-web-SSO.  The concept of real-time attributes, so beloved of higher education federation, is poorly understood by most vendors. Then again, they are not used to operating in a world where user account lifetime is planned per semester.
I am hoping that REFEDS may be a place to work on some of the issues pointed out, but the bulk of the work will have to be done by each individual university as they call for tender and discuss with their application suppliers and partners.