ADFS Shibboleth question
cantor.2 at osu.edu
Thu Apr 3 10:38:20 EDT 2014
On 4/3/14, 10:30 AM, "Qian, Yi" <yqian at ku.edu> wrote:
>The University of Kansas using Shibboleth IdP to authenticate our users,
>now we are adding ADFS as IdP to authenticate user for o365, the
>consultant from MS told us that after ADFS success authentication, shib
>IdP can obtain the token issued by ADFS, so user does not require login
>to shib protected resources.
In theory, with work, certainly not automatically.
I would note that in reality, you want to do this the other way around.
You're better off having ADFS hand off requests for a login to the IdP
using SAML. The ADFS server is already a SAML SP, and you already have
that in place, so there's no reason to reverse it.
>I think this must be some piece missing, should there is something like
>SP or some type replying party sit in front of shib IdP to intercept this
>token? But I do not know how
Yes, you're correct. And it wouldn't be particularly easy, because ADFS as
an SP, unlike Shibboleth, does not present a clean, portable method to
obtain user identity unless you deploy extra pieces that do Windows
impersonation or something like that.
More information about the users