How much does Shibboleth cost?

You Ask, We Answer: The True cost of Shibboleth:

We all seek to understand the costs associated with products and services before making significant purchasing decisions. Sirius believes in radical transparency. At the heart of our approach is the belief that by openly and honestly addressing cost-related questions, we can help you make the best decision for your needs. This article, guided by objective research, aims to provide a transparent analysis of the total cost of ownership for Shibboleth, moving beyond the common misconception of "free" Open Source software.

Understanding the Total Cost of Ownership (TCO) for an Identity Management Solution

To accurately grasp the financial implications of implementing Shibboleth, it's crucial to employ a Total Cost of Ownership (TCO) framework. This methodology evaluates all costs associated with an IT asset throughout its entire lifecycle, offering a more realistic and strategic perspective than just focusing on the initial purchase price. The TCO framework categorizes costs into three main areas:

  • Direct Costs: These are the most visible and easily quantifiable expenses, such as hardware, software licenses (or membership fees for Shibboleth), and initial installation or configuration fees.
  • Indirect Costs: This category covers ongoing, recurring expenses necessary for daily operation, including staff salaries, maintenance, software updates, electricity, and user training.
  • Hidden Costs: Often underestimated and difficult to forecast, these can become significant. They include financial impacts from unexpected downtime, complex integration efforts, and incident response following security breaches.

The perception that Open Source software like Shibboleth is a "free" or low-cost solution is a fundamental misconception that a TCO analysis is designed to correct. While the software itself is free to download and use under the Apache 2.0 license, the true financial reality is heavily influenced by the indirect and hidden costs that TCO reveals. The most substantial costs are typically absorbed by personnel expenses for configuration, customization, and continuous support. Failing to account for these can lead to significant budgetary overruns.

A Deeper Look: Breakdown of Shibboleth's Cost Components

Direct and Visible Costs:

While seemingly low, these are just a fraction of the overall expenditure.

  • Initial Implementation and Maintenance Fees: A standard Shibboleth implementation for an Educational institution (only) that is a member of the InCommon Federation typically incurs an initial fee of $500, with a $150 annual maintenance fee starting in the second year. For organizations not part of InCommon, the implementation fee is usually higher, at $1,000. Additional fees apply for services like data cleanup and member-matching (a minimum of $600 for 4 hours) and any special custom programming based on time spent.
  • Consortium Membership: The Shibboleth Consortium, which funds development and maintenance, relies on member fees. These fees vary by membership level and organization type, ranging from $2,960 to $8,880 for Academic or Non-Profit Members and $5,920 to $23,680 for Commercial Members. These rates are scheduled to increase by 10% in 2025 to address rising developer costs.
  • Infrastructure Costs: Shibboleth is a Java-based web application requiring specific underlying infrastructure. A Shibboleth IdP version 3 needs at least 4 Gigabytes of memory and typically runs on components like a Linux distribution (e.g., Ubuntu Server LTS, Red Hat Enterprise Linux), Apache HTTP Server, Apache Tomcat, and a PostgreSQL database. While these are Open Source, hosting them incurs costs, such as Azure compute services starting at $0.05 per hour.

Indirect and Hidden Costs: The True Drivers of TCO:

These often underestimated costs are usually the most significant portion of the TCO.

  • Personnel and Operational Costs: The most substantial costs in a Shibboleth deployment are related to personnel. A University of Washington (UW) study comparing self-managed Shibboleth to Azure AD found that while Shibboleth had "minimal hosting costs," it involved "reasonable engineering costs to maintain the hardware and software" and similar costs for application integration consulting. This highlights that the primary investment is in the labor required to manage, customize, and support the system.
  • Customization Effort: Open Source software often "requires greater amounts of effort via customization" over time, demanding more IT involvement for advanced configurations and programmer/administrative time.
  • Third-Party Security Components: Relying on third-party solutions can significantly escalate TCO. For example, integrating Duo for web authentication with Shibboleth is "very expensive". A comprehensive TCO analysis must account for the entire security ecosystem, not just the core identity provider.

Shibboleth: Self-Managed vs. Managed Service vs. Proprietary Alternatives – What's the Best Fit for You?

Understanding that "every solution is different" and costs "vary" is key to making an informed decision. The choice between self-management, a managed service, or proprietary solutions is a strategic one, balancing control with predictability and specialized expertise.

  • Self-Managed Approach:
    • Cost Drivers: Characterized by high fixed costs, including salaries, benefits, and ongoing training for IT staff. These costs can fluctuate, creating an unpredictable structure, and a specialized internal team is required.
    • Strategic Trade-offs: Offers unparalleled control and flexibility, allowing for deep customization of user interfaces, authentication flows, and user experience. It also builds deep internal knowledge. However, it carries the risk of unexpected costs and potential downtime, especially for providing 24/7 support.
  • Managed Service Approach:
    • Cost Drivers: Features a predictable, flat-fee subscription structure, avoiding the high fixed costs of hiring and training internal staff. This can lead to significant cost savings, especially for small to medium-sized businesses (under 250 users, TCO can be 18-22% lower). MSPs often include proactive monitoring, advanced tools, and robust security protocols.
    • Strategic Trade-offs: Provides access to a broad range of specialists with diverse expertise, offering adaptability and scalability. However, it means relinquishing a degree of control, as MSPs bring their own processes and standards.
    • Commercial Providers:
      • Sirius & DAASI International: Both offer comprehensive services including consulting, deployment, integration, training, and support. Their pricing models are custom and project-based, meaning you'll need to contact them for a quote tailored to your "unique needs". DAASI International offers reduced rates for authorities and research institutions.
      • Gluu: Features a more transparent, tiered subscription model based on Monthly Active Users (MAU). For example, a license for 100 MAU costs $500 per year, with hosting plans priced per location.
      • miniOrange: Offers a modular pricing structure for its SSO connector, based on instances, subsites, and tiered support plans (e.g., Essential for $149/year to Enterprise for $999/year).
  • Proprietary Alternatives (e.g., Okta, Microsoft Entra ID, Cisco Duo):
    • Cost Drivers: These solutions operate on a per-user, per-month subscription model (e.g., Okta: $2.00-$6.00/user/month; Microsoft Entra ID: $6.00/user/month; Cisco Duo: $3.00/user/month). These costs are generally transparent and predictable, consolidating hardware, software, support, and security features into a single recurring fee.
    • Strategic Trade-offs: Offer operational simplicity, integrated features, and a clear roadmap for future development. A University of Washington case study concluded that UW Azure AD was "much less costly than UW Shibboleth" when considering the broader web authentication ecosystem, particularly due to the "extremely low" cost of Azure MFA compared to the "very expensive" Duo for Shibboleth. This suggests that integrated proprietary solutions can be more attractive when comprehensive security features are required, as they might otherwise demand expensive third-party add-ons for Shibboleth.

Conclusion

The decision to deploy Shibboleth is a strategic one, heavily influenced by your organization's internal resources and its desire for control versus predictability. While the Open Source license may seem "free," a holistic TCO analysis reveals that the true cost is dynamic, driven significantly by implementation, customization, and ongoing maintenance.

To make an optimal decision, we recommend:

  • Assessing Internal Expertise: If your IT team is robust and maintaining this competency is a strategic goal, a self-managed Shibboleth offers maximum control.
  • Defining Project Scope: Shibboleth's flexibility is an advantage for projects requiring significant customization or complex integrations.
  • Evaluating TCO Holistically: Go beyond initial fees to project all direct, indirect, and hidden costs, especially internal labor and third-party components like MFA.

For organizations that prioritize ultimate control and possess a large internal IT team, a self-managed Shibboleth model provides long-term strategic advantage. For medium-sized organizations with limited internal resources, engaging a managed service provider offers predictable costs and access to expert talent. However, for those seeking rapid deployment, simplicity, and a full suite of integrated features, proprietary cloud solutions may offer a lower overall TCO. By investigating up-front what you are getting into, you can make the most informed decision for your identity management needs.