SSO solutions are easy enough; Shibboleth was overly-complex, having been designed for use in a closer-knit community with a far greater technical resource available and a greater technical skill in the average user. If SSO is needed use a multiple ID solution as do modern social services e.g. Disqus allows you to connect with a Google, Facebook or Twitter account or to register your own - it's about making it easy, not about making it hard. Authorise a couple of people in every school to confirm that person's status and expiry date and securely store that information somewhere once confirmed. Simples...

Secondly lack of SSO is not a real barrier to engagement; confidence in the use of the technology is a far higher barrier, coupled with the technologies in question and the degree to which people are interested in them. Plenty of people reguarly use secured applications with multple username/passwords used to access them; the difference is that they want to use them, that the applications in question are slick, focused and designed to engage. Fix that problem in the education space (as far as is possible) and the excuses regarding multiple usernames and passwords will sound far weaker than they did when first raised.

 Here is another clue why Shib is less successful than was hoped.

Quote from Moodle.org forum

Now, when Shibboleth is down, I ENABLE the former LDAP auth module and tell the users to use the manual Moodle login box. I have inserted the AAI-Login-Box above the Moodle default login Block, see here: https://moodle.fhnw.ch

And when Shibboleth works, I disable LDAP auth. (So that only manual and AAI users can log in)

So this user has had to organise their life around expected unreliablity. Sounds like the SHib service is not good enough