Why Shibboleth is a Great Alternative to Active Directory Federation Service

John Gasper , Software Architect , November 11, 2014

If you are currently using Active Directory Federation Services (ADFS), you might want to consider implementing Shibboleth instead. Shibboleth was specifically designed with higher education in mind. Both Shibboleth and ADFS were designed for enterprise application, but ADFS was designed with higher education as an afterthought.

Shibboleth is open source, meaning that there are no license fees, it is more flexible, and it is easier to customize. Shibboleth can also run on Windows, but can be and often is run on Linux (making it more affordable than buying the Windows license that each ADFS node requires).

Shibboleth provides federated authentication across or within organizational boundaries. Shibboleth supports Active Directory, and unlike ADFS it supports many other LDAP types. Shibboleth also upholds SQL Server as an attribute store, plus many other database types. Shibboleth supports most if not all of the SAML 1.1 and SAML 2.0 profiles, so more client application integrations are supported. In contrast to Shibboleth, ADFS does not natively support federated metadata files required by popular higher education federations like the InCommon Federation.

For all of these reasons, Shibboleth is a great alternative to ADFS. Shibboleth can meet the identity and access management needs of both higher education institutions and organizations, helping to maximize the open source investment. 

Whatever the goal of the Shibboleth deployment, Unicon provides the expertise required to give the confidence that comes with a professional implementation.

"Before I knew of Shibboleth, I ran ADFS at a university in the state of Washington for several years. We mostly set it up for use with Office 365, but eventually tried to make it work with InCommon. I was kind of successful in getting it to work with InCommon, but it was a hack. It got harder and harder to maintain as we created partnerships with more third-party apps (that supported InCommon). Shortly before I left I was making plans to gut the ADFS infrastructure replacing most of it with Shibboleth. The plan was to integrate ADFS as a Shibboleth client only to support Office 365." ~ Former IAM Architect at a university in the state of Washington

About Shibboleth
Shibboleth Federated Single Sign-On Authentication Service is a standards based, open source software package for web single sign-on across or within organizational boundaries. Shibboleth, a project of the Shibboleth Consortium, allows institutions to make authorization decisions for individual access of protected online resources. The Shibboleth software implements widely used federated identity standards, principally OASIS' Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License. Learn more at http://shibboleth.net.

John Gasper photo

John Gasper

Software Architect

John Gasper is a wonderful mix of Identity and Access Management (IAM) consultant and DevOps implementer. By day, he is implementing, configuring, or advising on one of the many open source IAM applications including CAS Server, Shibboleth, Grouper, SimpleSAMLphp, 389 Directory Server, and occasionally on a closed source applications like Microsoft Active Directory and Active Directory Federation Services. By night, John tries to automate the world of IT using tools, such as Docker, Jenkins, and Kubernetes. He has experience with cloud providers including Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure. Before joining Unicon in 2013, he worked in IT at Eastern Washington University covering multiple facets of IT including Banner development and administration, Active Directory administration, and pretty much everything in between. They even let him write code for Cisco IP Phone applications