ADFS Shibboleth question

Cameron Kerr cameron.kerr at
Thu Apr 3 15:57:23 EDT 2014

Another difficulty, not to be forgotten because it ends up being rather annoying, is logout. (to simplify matters, I'm only considering it with one IdP, not a federated logout).

As an example, I have an IdP that integrates with an Oracle SSO (Webgate/OAM). In a way this is rather nice, because I get need to have my IdP cluster stateless, and if you have an OAM session, then you will automatically get an IdP session.

However, I'm reluctant to move forward with it at the moment, because I need (particularly for shared devices such as Library kiosks -- and probably also things like loaner iPads) users to be able to click on a logout link an a protected application... that means the Application has to hook to the SP, which has to hook to the IdP, which has to hook to OAM, which then has to hook back to the application. 

Oh, and I need to make my IdP cluster stateful to get logout working...

In my case, login was easy... logout may be a little more dreadful.

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Qian, Yi
Sent: Friday, 4 April 2014 4:55 a.m.
To: Shib Users
Subject: Re: ADFS Shibboleth question

The people who love ADFS at the university must be very disappointed,
Thanks Scott for the help

On 4/3/14 10:20 AM, "Cantor, Scott" <cantor.2 at> wrote:

>On 4/3/14, 11:06 AM, "Qian, Yi" <yqian at> wrote:
>>After ADFS set up, we will have 2 IdPs, Shibboleth IdP and ADFS IdP,
>>Shib IdP will use CAS authentication against sun/oracle LDAP, ADFS will
>>authenticate against AD.
>>The requirement at the university is user can authenticate against either
>>of the IdP and does not require login again
>You cannot meet that requirement with the above choices.
>>The puzzle here is after user login against ADFS, then access Shib-CAS
>>protected resources, how Shib can intercept the SAML assertion issued by
>It can't. You're being asked for the impossible, and your diagram will
>have to change or the requirements will.
>-- Scott
>To unsubscribe from this list send an email to
>users-unsubscribe at

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list