Cross-Context External Authn w/ IdP Initiated SSO

[snekse]

Hello,

I'm completely new (5 days in) to SAML and Shibboleth, so please bear with
me.

I'm working on getting an IdP setup so I can provide authentication to a
3rd party SP.  But here's my scenario:

* User logs into www.example.com
* User clicks on a link that should take them to www.external.com, logged
in behind the scenes
* My Shibboleth IdP sits at idp.example.com
* Authentication on www.example.com varies by customer. Some are using
LDAP, most use U/P.

So I have a whole host of questions about this.

1. Am I correct that this is best done as an IdP Initiated SSO request?

2. Is the resource is the user is requesting
/idp/profile/SAML2/Unsolicited/SSO? The UML diagrams that I've seen show in
IdP-init that the user requests a resource from the IdP after login. I want
to make sure I understand what I'm supposed to request on the IdP.  It
seems like I should call that URL with query params like providerId and
shire

3. How would you do this; am I going about this the wrong way? It seems
like because my app is in the www context and my IdP is in a different
context, it makes determining if they are already authenticated harder than
it should be.  I was planning on using ExternalAuthn for the LoginHandler,
but now I'm starting to really question myself. Really just interested to
hear the different ways this could be accomplished and what the pros/cons
are to different methods.

4. Can I use www.example.com/login to authenticate? All the example I've
seen show a login page that is being served by the IdP directly.  If I'm
using ExternalAuthn and I need to force a login, I'd like to use my
existing login logic.

Thanks
Derek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140724/6cafb635/attachment.html