IDP initiated SSO

Cantor, Scott cantor.2 at
Mon Aug 6 20:00:45 EDT 2012

On 8/6/12 7:47 PM, "Susan Forr" <susan_forr at> wrote:

>I found a discussion about the IDP initiated SSO:
>1.There¹s a web application running on my server.
>2.The user ,on accessing this application, gets authenticated by some
>mechanism. The authentication isn¹t forced by Shibboleth IDP but by the
>application or probably the servlet container.

That has nothing to do with IdP initiated SSO, so you can stop worrying
about that.

>My use case is exactly like the one described here. In the step 2, the
>authentication is not done by IDP.

That is not physically possible unless you construct a properietary
security protocol between your systems to accomplish authentication to the

>The discussion is 2008. The answer in the discussion was to setup IDP to
>accept external authentication. Is this still true for the new release?

It's true for any release by definition. What you're asking isn't how IdPs

>Is this a common use case for using Shibboleth IDP?

Not in the way you're describing. What's common is to layer another SSO
mechanism like CAS or pubcookie around the IdP so that when you
authenticate to the IdP you do it by redirection to another login service
and then back using a SSO protocol. That is *not* just a redirect and you
cannot just do that without having a giant security hole. Those redirects
have to be signed or protected in some manner involving a shared key,
which is at heart how all SSO protocols work.

-- Scott

More information about the users mailing list