ADFS Shibboleth question

Cantor, Scott cantor.2 at
Thu Apr 3 10:38:20 EDT 2014

On 4/3/14, 10:30 AM, "Qian, Yi" <yqian at> wrote:
>The University of Kansas using Shibboleth IdP to authenticate our users,
>now we are adding ADFS as IdP to authenticate user for o365, the
>consultant from MS told us that after ADFS success authentication, shib
>IdP can obtain the token issued by ADFS, so user does not require login
>to shib protected resources.

In theory, with work, certainly not automatically.

I would note that in reality, you want to do this the other way around.
You're better off having ADFS hand off requests for a login to the IdP
using SAML. The ADFS server is already a SAML SP, and you already have
that in place, so there's no reason to reverse it.

>I think this must be some piece missing, should there is something like
>SP or some type replying party sit in front of shib IdP to intercept this
>token? But I do not know how

Yes, you're correct. And it wouldn't be particularly easy, because ADFS as
an SP, unlike Shibboleth, does not present a clean, portable method to
obtain user identity unless you deploy extra pieces that do Windows
impersonation or something like that.

-- Scott

More information about the users mailing list