I work in post-sec and this is very common practice. There are few key players that tend to capture the majority of schools in the States/Canada for specific tech solutions. Blackboard/Canvas/D2L for LSMs, Shibboleth for SSO, Duo for 2FA, Cisco AnyConnect for VPNs.
tech solutions in the field tend to be incredibly low risk given the size and make-up of the anticipated users (enterprise services with thousands of employees and tens of thousands of students). For public institutions, there's the added element of public sector risk avoidance.
To be clear, Shibboleth is often self-hosted and usually the grey-beards understand how to maintain it. It's been around a long time and is very stable/robust and at least as unlikely to fail as Duo/Cisco (which are overall fairly robust with rare enough breaking failures). OTOH, rolling their own 2FA would likely create points of failure that rear their ugly head more often, not less often.
Shibboleth is kind of an outlier here, due to its age/maturity and position as a very old-school piece of foundational tech that got implemented when academic IT salaries were quite a bit easier to live on than they are today.
The disparity between tech salaries in academic institutions and FAANG/SaaS corps has grown immensely in the past 20 years. Most of the people who do the real work at academic institutions have been employed there for 25-40 years. Most of the young people can't stick around for long because they need to earn more money to build a stable life.
