Cross-Context External Authn w/ IdP Initiated SSO

snekse snekse at
Thu Jul 24 17:00:34 EDT 2014


I'm completely new (5 days in) to SAML and Shibboleth, so please bear with

I'm working on getting an IdP setup so I can provide authentication to a
3rd party SP.  But here's my scenario:

* User logs into
* User clicks on a link that should take them to, logged
in behind the scenes
* My Shibboleth IdP sits at
* Authentication on varies by customer. Some are using
LDAP, most use U/P.

So I have a whole host of questions about this.

1. Am I correct that this is best done as an IdP Initiated SSO request?

2. Is the resource is the user is requesting
/idp/profile/SAML2/Unsolicited/SSO? The UML diagrams that I've seen show in
IdP-init that the user requests a resource from the IdP after login. I want
to make sure I understand what I'm supposed to request on the IdP.  It
seems like I should call that URL with query params like providerId and

3. How would you do this; am I going about this the wrong way? It seems
like because my app is in the www context and my IdP is in a different
context, it makes determining if they are already authenticated harder than
it should be.  I was planning on using ExternalAuthn for the LoginHandler,
but now I'm starting to really question myself. Really just interested to
hear the different ways this could be accomplished and what the pros/cons
are to different methods.

4. Can I use to authenticate? All the example I've
seen show a login page that is being served by the IdP directly.  If I'm
using ExternalAuthn and I need to force a login, I'd like to use my
existing login logic.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list