An open discussion list for topics related to the eduGAIN interfederation service.

[Nick Roy <nroy AT internet2.edu>]

This is exactly what happens in the US, too. We have a very large number of smaller colleges and universities that don’t have the resources to support anything else but ADFS. My argument is that it is actually harder for both them and us to support than for them to run a packaged version of the Shibboleth IdP, but that argument often falls short given the realities of those campus environments.

Nick

On 21 Nov 2019, at 1:25, Guy Halse wrote:

Hi

On 2019/11/20 01:02, Nick Roy wrote:

Perhaps counterproductively adding to my rant below: ADFS is terrible, but works just well enough to lull people into the belief that it won’t screw everything up, as it invariably does, down the road. I spend at least 80% of my direct-end-user-contact time coaching people with ADFS problems. ADFS should not be used in the context of R&E federations, nor should other similar software. This is a real problem that I don’t know how to address in our context, but the problem is getting worse every day.

With respect, I think this rant come from a privileged position of being an established player in a wealthy economy.

I'll agree with you that it's terrible. However, in the context of developing R&E federations, it is the establishment we are effectively competing against.

Whether we like it or not, many of our institutions are well entrenched within the Microsoft ecosystem, and already make use of ADFS for integration with O365 and a bunch of other things. They have staff who know enough about ADFS to make it work for those use cases. On the contrary, Shibboleth/SimpleSAMLphp/etc are things they have likely never encountered before. What that probably boils down to is that Microsoft are good at marketing; we are not.

Our reality is also that universities are under funded, under resourced and under staffed. That has two implications: the status quo has a very long tail, and so anything that takes them out of their comfort zone gets put on a back burner for a really long time.

When a researcher arrives with a use case for R&E federation, their natural answer is to set up a point-to-point relationship in ADFS in the Microsoft way. This is understandable, because it is entirely within their comfort zone, and reuses infrastructure they've already built. Even if they're not already ADFS users, installing ADFS - a product they've effectively already paid for and can get local support for through their existing partners - is far more attractive than building new infrastructure, even if that software is "free". The result is that when we come to them with the idea of R&E federation, our starting position is on the back foot. Persuading them to federate is hard enough, without having to argue against a product they're already using and that's meeting most of their other requirements.

I'm very aware that even I have a privileged position. Our economy is such that I can turn round to institutions and say "we can get it to work, but only if you upgrade to the latest version", thus limiting my exposure to the broken. However that's not reality in other countries I've worked with, because in addition to the problems above, upgrading involves more money. And that doesn't happen until products go out-of-support and there's no alternative.

Thus from my perspective, ADFS is something I have to learn to live with if I want R&E federation to succeed here. Given the choice between living with ADFS's quirks and abandoning the idea of getting R&E federation working, I'll choose the former. Because I have researchers who need me to maak 'n plan. [1]

</metarant>

- Guy

[1] https://www.quora.com/What-does-a-boer-maak-n-plan-mean

--
Guy Halse
Director Trust & Identity Tertiary Education & Research Network of South Africa NPC Fault Reporting: +27(21)763-7147 or support AT tenet.ac.za
Office: +27(21)763-7102
http://www.tenet.ac.za/contact
https://orcid.org/0000-0002-9388-8592

Attachment: signature.asc
Description: OpenPGP digital signature