When "We've Had Shibboleth for 20 Years" Is a Test, Not an Objection

The Tell

The rep says: "We work with a lot of institutions that have moved away from Shibboleth to more modern platforms." Sometimes it's softer — "Shibboleth has been great, but the landscape has really changed" — but the damage lands the same way. The IAM team hears one thing: this person thinks Shibboleth is a legacy problem. The meeting continues, but the IAM team has already made their assessment.

The Mechanic

Twenty years of Shibboleth on a campus means twenty years of InCommon federation participation — the institution has registered as an IdP in the federation metadata aggregate, established SP relationships with hundreds of research collaborators and library resource providers, and built attribute release policies governing exactly which eduPersonAffiliation values flow to which service providers under which conditions. Those policies were negotiated, documented, and embedded in the institutional memory of whoever has been running the IdP.

The vocabulary that separates a peer from a vendor in this conversation: "SP relationships" not "SSO connections." "Federation metadata" not "configuration." "Attribute release" not "data sharing." "eduPersonAffiliation" not "user roles." A rep who uses the second term in each pair has announced their outsider status before the second sentence.

The signal underneath the vocabulary is structural. InCommon federation is a trust framework. When a campus IAM team invokes Shibboleth tenure, they're invoking their standing in that framework — the working group participation, the peer relationships, the institutional identity that comes with being a long-standing federation member. Treating that as a migration objection is a category error.

The Move

Say this:

Not that: Any framing that positions Shibboleth tenure as a problem to solve rather than infrastructure to understand. "A lot of schools are moving away from Shibboleth" is the version that ends the meeting without ending the meeting.

When: The first three minutes of an IAM team conversation, immediately after the tenure statement is made. Do not wait. Do not pivot to a product slide. Respond to the statement directly, in its own terms.

Why it lands: The IAM team hears that you understand federation as institutional trust infrastructure with operational history attached. That moves the conversation from replacement to coexistence. The question about where the IdP is getting stretched is diagnostic — the kind a peer would ask. The IAM team knows the difference, and they're listening for it.

Tier Calibration

• R1: Federation complexity is highest here. Research computing SPs, multi-institution data sharing agreements, and non-human identities that don't fit the eduPerson schema are all live pressure points. The "where is it getting stretched" question will get a specific answer. Be ready for it.
• Mid-size: The tenure claim often signals staff capacity as much as technical investment. One or two people may own the entire IdP. Coexistence framing should acknowledge operational continuity — they're not worried about the architecture, they're worried about who maintains two systems.
• Community College / Consortia: The institution may be one node in a consortium-managed IdP deployment. Confirm who owns the federation metadata before deploying this move. The right answer may be directed at a consortium IAM lead, not the campus IT director.

Community fluency content is durable and does not require quarterly review. Refresh triggers: structural changes to InCommon Baseline Expectations, significant revision to eduPerson schema governance, or material shifts in the Shibboleth Consortium's community positioning and roadmap.