CAF – Recommended IdP Software

Below is a list of recommended software for identity providers with native support for SAML2 (protocol used for Research & Education multi-lateral federation) with the following capabilities:

  • Fetches metadata hourly to stay current and responsive to metadata changes.
  • Validates metadata using CAF signing keys to ensure the integrity of trust is intact.
  • Loads the full complement of CAF metadata for appropriate coverage of service.
  • Domain control of the entity identifier, ensuring you the Participant have agency and control over your institution’s identity provider.
StateSoftwareRecommended VersionSecurity NotesConfiguration Reference
SupportedShibboleth Identity ProviderV5 latest, v4.3.x latest for existing participants until September 1, 2024V5 security advisories V4 security advisoriesV5 Overview V4 Overview CAF Metadata Details
SupportedADFS ToolkitLatest Installing and Upgrading
EndorsedSATOSALatestSecurity advisoriesInstallation
EndorsedSimpleSAMLphpLatestSSPHP security advisoriesDocumentation
EndorsedApereo CASLatestCAS Apereo security advisoriesDocumentation

CAF Common URLs are available for the endorsed software configurations.

Which identity provider is right for me?

CAF recommends the Shibboleth Identity Provider (IdP) as the reference IdP on Windows or Linux; however, there are many other factors to consider, which is why there are multiple supported options.

Organizations using something other than Shibboleth as their IdP should take into consideration the differences in features which may result in operational overhead.

What’s the difference between supported and endorsed?

Supported: Identity providers are those for which the CAF team can directly field questions and support your implementation team on all aspects of the operations and configuration. The supported software suppliers are usually the first to support key features of the R&E federation, and are tested early on by the CAF Team.

Unsupported: Identity providers are either assessed or have been tested at one time by the CAF team to successfully interoperate with the Research and Education trust model. Feature sets are comparable to the “Supported” identity providers, however support from the CAF team will be best effort and you should look to community resources or the software vendor for direct support.

Can I use my existing SAML2 identity provider or cloud provider?

No, not directly without a proxy.

Bi-lateral or point-to-point SAML connections do not satisfy the requirements of the R&E multi-lateral trust model, hence the need for a proxy component.

All supported and unsupported software have some form of proxying capability, however the Shibboleth IdP is the only recommended and CAF supported solution for proxying.

I need more than just SAML2 for my identity provider; is that possible?

Yes.

All Supported and Endorsed identity providers support multiple protocols. However, the R&E multi-lateral trust model is currently only in SAML2.

What if I want to outsource my identity provider?

You may choose to contract a managed solution provider such as Cirrus Identity or Unicon to operate your IdP.

Our US partner organization, Internet2, has a list of vendors in their Catalyst Program that are well versed in operating and/or offering Identity Provider solutions. Fees to your vendor are in addition to CAF participation fees.

If you have a recommendation for a managed solution provider that has served you well, please let us know at tickets@canarie.ca.

Where can I find training resources?

Internet2, our US partner organization, has the InCommon Academy Training Curriculum geared toward the Shibboleth identity provider and other IAM technologies.

You can find the installation guide for Shibboleth here and the ADFSToolkit v2 here.

Considering another approach?  

We’re here to help. Contact us at tickets@canarie.ca and we can help you find the best solution for your organization.