Multi-factor authentication with two IdPs

Dan Ciarniello DCiarniello at
Thu Aug 27 16:29:37 EDT 2015


I am looking to integrate Shibboleth into a pre-existing SSO system to add a second authentication step.

The current setup is, I believe, fairly standard with a service provider behind a reverse proxy (an F5) with an ADFS system providing SSO services.

As I understand it, the basic workflow is:

1.       F5 redirects user to ADFS for login

2.       ADFS returns SAML response to the F5 with various "claims" including a user id

3.       F5 then forwards the SAML response to the service provider

What I would like to do is insert a step after step 2 whereby after initial login, the F5 forwards the SAML Response to Shibboleth for further authentication using a custom extension.  The custom extension requires the user id from the initial login to perform the second authentication step.

I'm wondering if this is possible?  Is so, how would I set up Shibboleth to process a SAML Response rather than a SAML Request?


This email and any attachments are strictly confidential, may be privileged, and are intended only for the use of the person(s) named above. Any other person is strictly prohibited from disclosing, distributing, copying or using it. If you are not the intended recipient (or are not receiving this communication on behalf of the intended recipient), please notify the sender immediately by return email or telephone call, and securely destroy this communication. Thank you.

Please reply to this message with "Unsubscribe" or "Unsubscribe All" in the subject line to unsubscribe from this mailing list or from all commercial electronic messages from Central 1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list