ADFS Shibboleth question
yqian at ku.edu
Thu Apr 3 10:45:29 EDT 2014
Thanks Scott for your answer, one thing I forgot to mention is we actually
using CAS Shibboleth combination, CAS doing the actual authentication,
seems the university like the ADFS login a lot, they insist to use ADFS as
On 4/3/14 9:38 AM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>On 4/3/14, 10:30 AM, "Qian, Yi" <yqian at ku.edu> wrote:
>>The University of Kansas using Shibboleth IdP to authenticate our users,
>>now we are adding ADFS as IdP to authenticate user for o365, the
>>consultant from MS told us that after ADFS success authentication, shib
>>IdP can obtain the token issued by ADFS, so user does not require login
>>to shib protected resources.
>In theory, with work, certainly not automatically.
>I would note that in reality, you want to do this the other way around.
>You're better off having ADFS hand off requests for a login to the IdP
>using SAML. The ADFS server is already a SAML SP, and you already have
>that in place, so there's no reason to reverse it.
>>I think this must be some piece missing, should there is something like
>>SP or some type replying party sit in front of shib IdP to intercept this
>>token? But I do not know how
>Yes, you're correct. And it wouldn't be particularly easy, because ADFS as
>an SP, unlike Shibboleth, does not present a clean, portable method to
>obtain user identity unless you deploy extra pieces that do Windows
>impersonation or something like that.
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net
More information about the users