ADFS Shibboleth question

Michael A Grady mgrady at
Fri Apr 11 18:20:01 EDT 2014

On Apr 11, 2014, at 11:05 AM, Peter Schober wrote:

> * Rupprecht, James R. <jimrupprecht at> [2014-04-11 18:00]:
>> One thing that was not in the original list of requirements
>> here... The end goal is to allow users who have already
>> authenticated using CAS/Shib to not have to reenter their
>> credentials again for ADFS. Both directories (Active Directory being
>> used by ADFS and LDAP being used by Shib) have identical user data
>> including the users' CNs and passwords so mapping between them
>> *should* be fairly straightforward. 
> It's not a mapping problem, but one of (lack of) a secure protocol for
> SSO between seperate software systems each wanting to authenticate the
> subject using username & password, and having no protocol (nor the
> possibility to proxy from one to the other) that specifies that
> securely.
> (At least commenting the "I have CAS, Shib and ADFS and all need to be
> IDPs, not subordinate to any other" part of that.)
> -peter

As Peter indicates, you can:

 - create your own SSO protocol (and/or modify the Shib IdP) to try and "marry" the Shib/CAS SSO with the ADFS SSO
       or do both of the following
 - configure ADFS to use the Shib IdP for passive authentication, and AD for WS-Trust/Active authentication
 - configure SPNEGO support in your CAS Server, so that the CAS login can leverage the Windows workstation login

So, if you already have an SSO session with Shib, anything that talks to ADFS for passive authentication (e.g. web browser) will get sent to the the IdP, which will respond back with the user's identity because they already have an active session. (Actually, since your Shib defers to CAS, it will go to CAS, which will so respond.) So the user doesn't have to enter a username/password.

And if the user already has logged in to their domain-joined workstation before doing something that requires Shib/CAS, CAS can leverage the SPNEGO support and again the user won't get challenged.

That way, I'd think you'd get at least most of what you want without needing to create new code/protocol/etc.

Michael A. Grady
Senior IAM Consultant, Unicon, Inc.

More information about the users mailing list