I knew you'd been putting a good deal of thought into this ...
thanks for sharing with the community.
On 1/4/10 6:17 PM, J. Greg Mackinnon wrote:
[log in to unmask]" type="cite">
Keep in mind that InCommon implements only the WAYF component of
Shibboleth. Organizations may choose to implement a non-Shibboleth IdP
that produces Shibboleth-compatible assertions (as Shib people like to
call them) or "claims" (as Microsoft and others call them). Microsoft
has created their own IdP called "ADFS" (Active Directory Federation
Services). ADFS is Shib compatible. Most federation scenarios for
SharePoint involve the use of ADFS. There are some people who have
gone the Shibboleth integration route, but they are riding the bleeding
edge, and in something of precarious support situation. Owing to the
complexity of the SharePoint technology stack, I really don't want to
be out on the bleeding edge. We cannot stand on it without getting
badly cut (to extend the analogy).
We are already in our own precarious place right now with
PartnerPoint. No one really likes PartnerPoint... it is not really
supportable, it likely will not be updated for compatibility with the
2010 version of SharePoint Services. And yet, we have a fair number of
PartnerPoint users for whom we need to provide a working alternative
solution. A bad situation to be in, and one that was brought on by a
lack of respect for the dangers of bleeding edge technology.
After our last investigation into this issue, we concluded that there
were no great solution for SharePoint federation. We put this project
on hold pending the release of ADFS v2 (just released late this fall)
to see if new interoperability scenarios became available. We also
have been awaiting SharePoint 2010 documentation to see what the
allegedly naively claims-aware version of the application can do for us.
To summarize... I have been thinking about this situation actively. It
is going to take more time before a solid and supportable solution
On 1/4/2010 5:59 PM, David Todd wrote:
[log in to unmask]" type="cite">
Microsoft is an InCommon member, and I vaguely recall some
discussion that they were implementing Shib in Sharepoint. Is there
some way you can check to see if that's in the Sharepoint roadmap?
On 1/4/10 5:53 PM, J. Greg Mackinnon wrote:
[log in to unmask]"
type="cite">Some people are doing this... it is not trivial to
configure, though. We have been considering implementing federated
single sign-on for SharePoint (presumably using Shibboleth in some
capacity) for awhile now.
However, one of the main problems with Shibboleth is that not everyone
we want to collaborate with is a member of the "InCommon" federation
(in fact, almost none of them are). It is a chicken-and-egg problem...
there is no reason to use Shib in your applications until other people
have Shib Identity Providers (IdP), and other people have little
motivation to implement an IdP unless you have an application for them
to use it with.
As an interim solution, we have been considering the use of the
"guestnet" account database (currently used for guest Wi-Fi access at
UVM) as an additional authentication source for Shibboleth to allow
external affiliates with no access to a Shibboleth infrastructure to
Anyway, we really need to start thinking seriously about how to make
federated sign-on work for SharePoint. PartnerPoint is proving itself
ETS Systems Architecture and Administration
On 1/4/2010 3:13 PM, Andrew Hendrickson wrote:
Just a related geek question for the
Sharepoint admins: Can Sharepoint be connected to Shibboleth?
I'm not sure if this would apply in this situation but it may in other
Quoting Kevin Hytten <[log in to unmask]>
Mon, 04 Jan 2010:
Take a look at:
Here is information about what you are looking for - creating an
external user account. Note, I think you need to have your site set up
first - you can create a new Sharepoint site here:
Click on the link under "Create your own site..."
Kieran M. Killeen wrote:
Hello....I am interested in building
sharepoint site to facilitate collaboration across multiple
universities. Can I create such a sharepoint site at UVM? Will I need
to assign a unique ID and password for non-UVM employees to access
such a sharepoint?
I appreciate any help you can provide. Thank you.