request IdP assertions from java

Cantor, Scott cantor.2 at
Wed Jan 18 15:57:41 GMT 2012

On 1/18/12 10:45 AM, "enache alex" <alex_e_fii at> wrote:
>I'm extremely new to this sso, shibboleth, IdP, SP, etc. etc. things. So
>I thought to ask the experts :). I have to integrate our software with
>shibboleth (only the IdP part of it). For this I need to create some sort
>of PAM to access the IdP and receive the assertions.

The IdP doesn't include any SAML (or other) profiles that address that use
case(*), and it's inappropriate to use other profiles for a different
purpose. That leads to security problems when things don't work as

(*) The ECP support is somewhat adaptable to a PAM-like use case, but not
really. With PAM you're probably thinking of taking a password and somehow
directly talking to the IdP, but that's not how SAML normally works. But
it's somewhat similar if you squint. One could act as both "client" and
"SP" in the ECP model, take the credentials, formulate a request, use them
to acquire a Response from the IdP as the profile dictates, and then
process the Response as the relying party. We don't have anything like
that implemented, and most especially not a full relying party in Java.

-- Scott

More information about the users mailing list