Shibboleth IdP V3 Upgrade

Shibboleth IdP V2 is reaching end of life for all security updates on July 31, 2016.  We offer professional services for helping you upgrade to Shibboleth IdP V3 or evaluate other SAML Identity Provider options.

Based on our recent Shibboleth IdP V3 upgrades, the effort estimate ranges from 20-40 hours at a cost of $2,700 – $5,400, which includes a pricing discount for higher-education institutions.

We have a very flexible approach that is tailored to fit your needs:

  • We can work side-by-side with your team through all stages of planning, deployment, testing and production cutover
  • If you have internal resources available, we can help you with planning, and you can bring us in when you get stuck
  • For organizations that do not have internal resources to devote to a Shibboleth IdP V3 upgrade, we can perform the upgrade for you
  • We primarily work remotely and collaborate with your team via WebEX.  We have had a lot of success with this approach, and we find that it is efficient and cost-effective.  We can also arrange to have a resource on-site on a time and materials basis

Here are some factors that impact effort estimates for your Shibboleth IdP V3 upgrade:

  • Internal resourcing – How much time does your team have to devote to upgrade activities?
  • Preserving IdP endpoint URLs – This will greatly help reduce the impact of the upgrade on your end users, but may introduce some planning challenges
  • Number of Service Providers – If your Shibboleth IdP is a key part of your SSO infrastructure, then you will want to add some time for coordinating with your external vendors to test and plan your cutover, especially if there are metadata updates required
  • InCommon Federation – Do you need to coordinate any changes to your InCommon Federation metadata
  • SSO integration – Do you need to integrate with CAS or other SSO providers?  Are upgrades or consolidation of SSO services within scope of your IdP upgrade?
  • High availability architecture – IdP V3 has great features that can help you simplify your HA deployment
  • Monitoring
  • Test environments – How many environments do you need to provision
  • Architecture changes – Are you considering any other SSO architecture changes as part of your IdP V3 upgrade (eg. moving to the cloud, consolidating services, etc.)
  • Testing – Test, test and test again!

If the total cost of ownership of your Shibboleth IdP environment is too high for your IT organization, you may want to consider other SAML IdP options.  SimpleSAMLphp is another open source SAML IdP that has similar functionality to Shibboleth, including the ability to consume InCommon Federation metadata.

InCommon Federation recommends Shibboleth or SimpleSAMLphp, however, there are many commercial and cloud based SAML IdP options that you might want to consider.  InCommon’s Alternative IdP working group put together a great report that discusses the trade-offs of various SAML IdP options.  We have a lot of experience in this area, and we can help you find the best authentication architecture to fit your needs.