Can the SP forward artifact consumption to another service ?

Matthieu Huin matthieu.huin at
Wed Nov 12 06:03:21 EST 2014


I've been looking into artifacts (section 3.6 of
and would like to know if shibboleth SP could support passing the artifact, once obtained, to another service, through some
form of callback. This service would then consume the artifact and fetch the assertions from the IdP.
It is probably a bit far-fetched, but the Openstack community has to deal with a case where the web GUI (Horizon) is
a distinct entity from the identity/authZ service (Keystone). Keystone recently got support for federation through SAML
(as a SP, behind mod-shib), and CLI operations are possible through ECP, but getting the right federated AuthN workflow through
horizon is tricky. So using artifacts and having horizon pass them to keystone could maybe solve this; or is there something
else that could be done ?


Matthieu Huin 

mhu at 
11 bis rue roquépine – 75008 PARIS France

More information about the users mailing list