At work we made the tough decision to get rid of Shibboleth 3 as our identity provider. We had encountered some pretty horrific performance issues with Shib3 (which we tried resolving - and sought assistance from user mailing lists etc).
In addition to this we were looking for a solution that aligns better with our system build and deployment procedures (Open Source definitely preferred!).
My most recent task was to evaluate simplesamlphp as a possible SSO replacement. The first thing I noticed is that is is much simpler to set up than Shibboleth, the same software (which is just a set of php files living in your web root) can be configured to operate in SP or IDP mode.
The graphical admin UI is terrific.
One of the downsides is the use of auth_memcookie for sharing shibboleth authentication and attributes with non php web applications - in a nutshell it just did not seem to work as documented (the group authorization options simply didn't work - I raised a bug 11 days ago - https://github.com/mcarbonneaux/Apache-Authmemcookie-Module/issues/5 - which still has not been replied to).
As the simplesamlphp IDP is excellent (and provided a very easy mechanism to customise), I decided to try pairing it with mod_shib (which is an apache module that implements a SAML2 SP).
After some relatively minor tweaks, and using the simplesamlphp admin utility to convert the SP metadata into the required PHP config format - it all worked without a hitch - so now we don't have to rewrite our shib SP authorization rules - sweet!
More benfits from running with a simplesamlphp IDP:
-
Speed - it is so much faster than Shibboleth!
-
Reduced dependencies (no java/tomcat8) means we can switch to an Ubuntu LTS release.
-
Simplesamlphp supports SLO (it actually works! The IDP logs out all SP's when IDP logout is initiated).
-
Simplified deployment - the Ansible playbook is about 30% the size of the shibboleth IDP!
In a nutshell, I think simplsamlphp IDP and Shibboleth SP is the perfect match!