The Wisdom of Crowd?
I was at the Atlassian European User Group meeting in London this evening. It was a good event. The Atlassian folks, red-eyed and bleary off a plane from Australia, were friendly, charming, and young. It was a worthwhile event - though we should have brought some non-technical people along so they could see lots of interesting ways to use JIRA and Confluence.
In one of the presentations, Scott Farquhar of Atlassian (one of the two founders of the company) introduced Crowd, a piece of middleware for single-sign-on (SSO). This sounded rather good, given that it supports Confluence, JIRA, Jive Forums, and Jive Wildfire Messenger (in other words, our whole "social software" shooting match). I put my hand up to ask "What about Shibboleth support?" Scott looked a bit puzzled. Mike Cannon-Brookes (the other founder of Atlassian) said "Check the FAQ on the website". So I did. (For non-specialists, SAML and Shibboleth are essentially the same thing).
In our opinion, for the 98% of businesses who wish to enforce single sign-on, SAML specification is too complex to be truly practical. The breadth of understanding, deployment and support of these large frameworks is beyond the scope of most developers' needs or their ability to manage. Most developers and IT managers need a solution that is simple and cost effective to deploy. Crowd was developed as a practical, simple and secure alternative for identity management and single-sign on across an unlimited number of web-based applications.
So that would be a resounding "no".
In a year or so, most (and all the big) UK universities, and many of their key knowledge suppliers, will be members of the UK Access Management Federation. I imagine a fair number of US institutions will be members of the US equivalent, too. And similarly, other EU institutions. In any case, UK institutions will be pushed to Shibboleth once their current access management service, Athens, becomes chargeable.
We have an unlimited user licence for Confluence, and an Enterprise licence for JIRA. If we were procuring now, no Shibboleth would be enough of a reason not to choose these products. I would happily hand over a sizeable chunk of cash for an SSO solution (Cloud, when released, will cost money) that let me Shibbolise my social networking service offering in one go. But cool though Crowd looks, is it really worth it if I have to Shibbolise in a year's time in any case?
I respect Atlassian's view - they are clearly bright people - but I do hope they reconsider. Why? Well, one of the presentations at the user group was given by event sponsor Headshift, who are building outward-facing applications in fields like elearning on Confluence. I think Confluence is a great platform to build on. We could use a hosted wiki, or another wiki server, but we chose Confluence for two reasons: because it has so much potential as a platform, and because it had LDAP integration. I think Headshift are spot on in what they are doing. And what's the consequence of this? If I could Shibbolise Confluence, I could use it as an elearning, or learning resource platform for the whole HE community. Maybe I'm a publisher putting an expert publication on line. Maybe I'm a research group, collaborating with partners across Europe. Maybe I'm a faculty supporting a joint degree. Maybe that's the 2% of businesses. Maybe that 2% would grow if Crowd supported SAML. You see, in Higher Education at least, Shibboleth is the new LDAP.
We've got an increasing amount of valuable content sitting in Confluence, and we like Confluence. We don't particuarly want to migrate away from Confluence, but we will be Shibbolising our important web applications, or migrating to applications that support Shibboleth. It would take a failure of the UK Federation for us to change course. The potential of Crowd is tantalising - because it takes care of so many applications at once. We don't need something like Cloud to be a Shibboleth IdP (though that's a cool thought), but we do need something like Cloud that will talk to an IdP.
In closing, here's a nice irony. Educause's Internet 2 Shibboleth-enabled applications and services wiki is hosted on Confluence.
I'm sorry I didn't have the opportunity to have this conversation with the chaps from Atlassian at the user group. It's a pity I hadn't spotted Crowd on Atlassian's wiki before the meeting, because this post feels a little discourteous.
15 December 2006 at 3:24 PM
Lets hope the Atlassian guys have search rss feeds to catch this entry.
15 December 2006 at 6:41 PM
Don't worry, we did catch it. I forwarded a link on to the lead crowd developer, and I believe he contacted Miles directly. Thanks again for the input. Hearing stuff like this relly helps us decide how to move the product forward.
Cheers,
Jonathan @ atlassian
15 December 2006 at 8:20 PM
@Ian - the chaps at Atlassian are way too sharp to miss anything :)
@Jonathan - haven't heard anything just yet: though it must be well into the weekend in your neck of the woods.
18 December 2006 at 11:3 AM
Miles - thanks for the post, very informative. We are (as always) still thinking and considering this. It certainly won't make 1.0 but nothing after that is definite.
The Crowd tech lead, Justen Stepka, has posted a lot more discussion on his blog which may be of interest:
http://www.jstepka.name/blog/2006/12/17/crowd-vs-saml-vs-liberty-alliance-vs-openid-vs-cas-vs-shibboleth/
Cheers,
Mike @ Atlassian
18 December 2006 at 1:18 PM
@Mike - thanks for pointing me at Justen Stepka's blog: I've left rather a long comment!
19 December 2006 at 8:42 AM
Very interesting post Miles. I came across it looking for shibboleth kits for the Wildfire jabber server. I like your statement about shibboleth being the new ldap. I wish it was but like the guy from Atlassian says, saml takes a lot of knowledge and effort just to understand it, let alone develop something that uses it.
A shibbed JIRA would be nice. Unfortunately it's commercial so the tech-heads at institutions can't get to work on it.
Commercial/academic research partnerships aren't uncommon. Maybe that's a way to get commercial apps like JIRA into the uk fed.
Will the fed just become a document repository or will it have applications and services too? All depends who thinks shibboleth is worth the effort.
20 December 2006 at 11:1 PM
I'm old enough to remember LDAP before it became a network operating system commodity. Perhaps I should have used "X.500" for dramatic effect.
I don't think LDAP is that easy to deploy if you are using it for something more than an OS directory. It never ceases to amaze me how many promising web-applications don't have LDAP authentication as an option, and how many LDAP authenticators are written as "assume user ID is part of DN, and that password can be read out of LDAP store like a database". In other words, a lot of work for implementers.
JIRA's authentication is pluggable AFAIK, so it shouldn't be impossible to Shib.
It looks to me like the UK Federation (chavs call the police the "feds" round here, so I can't bring myself to use your abbreviation) will end up as a document repository - but I would like it to have applications and services, because that's something I believe is both valuable to institutions, and an opportunity for them. Even if it is a document repository, Confluence makes an intriguing 21st century repository.