ADFS Shibboleth question

Chris Phillips Chris.Phillips at
Thu Apr 3 10:49:28 EDT 2014

If you are replacing your Shib IdP with ADFS as the IdP and answering SAML requests, maybe, but I could see a lot of heartache managing metadata within ADFS and doing claims mapping.
See for more in this vein and related comments from Scott a few moments ago.

It's plausible(and debatable)  to have Shibboleth as the IdP on IIS and defer to ADFS for sign on (like Shibboleth can do with CAS) but the Shibboleth software would need more than just a token, it would need the unique identifier to look up the user in Shibboleth to be able to handle other Shibboleth protected services and Office 365 would just use ADFS.

If you wanted to transition away from CAS to this, it's possible - at the expense of any CAS'ified apps will need to be converted to SAML or ADFS.

I would encourage you to have the consultant diagram it out his/her recommendations in detail with the sign on use cases exercised with it.

You could always use the SAML capabilities of Office365[1] and skip ADFS entirely, but I suspect that Lync and Office Subscriptions may not work as expected(well, likely not at all in which case you would need ADFS)



From: <Qian>, Yi <yqian at<mailto:yqian at>>
Reply-To: Shib Users <users at<mailto:users at>>
Date: Thursday, 3 April, 2014 10:30 AM
To: Shib Users <users at<mailto:users at>>
Subject: ADFS Shibboleth question


The University of Kansas using Shibboleth IdP to authenticate our users, now we are adding ADFS as IdP to authenticate user for o365, the consultant from MS told us that after ADFS success authentication, shib IdP can obtain the token issued by ADFS, so user does not require login to shib protected resources.

I think this must be some piece missing, should there is something like SP or some type replying party sit in front of shib IdP to intercept this token? But I do not know how

Thanks for the help

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list