ADFS Shibboleth question

Qian, Yi yqian at
Thu Apr 3 10:45:29 EDT 2014

Thanks Scott for your answer, one thing I forgot to mention is we actually
using CAS Shibboleth combination, CAS doing the actual authentication,
seems the university like the ADFS login a lot, they insist to use ADFS as
IdP too.

On 4/3/14 9:38 AM, "Cantor, Scott" <cantor.2 at> wrote:

>On 4/3/14, 10:30 AM, "Qian, Yi" <yqian at> wrote:
>>The University of Kansas using Shibboleth IdP to authenticate our users,
>>now we are adding ADFS as IdP to authenticate user for o365, the
>>consultant from MS told us that after ADFS success authentication, shib
>>IdP can obtain the token issued by ADFS, so user does not require login
>>to shib protected resources.
>In theory, with work, certainly not automatically.
>I would note that in reality, you want to do this the other way around.
>You're better off having ADFS hand off requests for a login to the IdP
>using SAML. The ADFS server is already a SAML SP, and you already have
>that in place, so there's no reason to reverse it.
>>I think this must be some piece missing, should there is something like
>>SP or some type replying party sit in front of shib IdP to intercept this
>>token? But I do not know how
>Yes, you're correct. And it wouldn't be particularly easy, because ADFS as
>an SP, unlike Shibboleth, does not present a clean, portable method to
>obtain user identity unless you deploy extra pieces that do Windows
>impersonation or something like that.
>-- Scott
>To unsubscribe from this list send an email to
>users-unsubscribe at

More information about the users mailing list