Integrate 3rd party as one more Identity Provider

Peter Schober peter.schober at
Mon May 4 08:18:20 EDT 2015

* Surinaidu Majji <pioneer.suri at> [2015-05-04 08:12]:
> We have a "Third Party" which will have its own database and authentication
> service. Because of the following components i am assuming the 3rd party as
> one more "IDP" like shibboleth Idp.
>  1) "Third Party" will give its own "login.jsp" if the user accessed the
> application is not authenticated.
>  2) It has its own database to authenticate the credentials entered in the
> login page.
>  3) It will give the "Token" and required user information once the user is
> authenticated at Database.
>  4) The token will be stored at application side(SP) to identify the user
> when he access the application second time without going to Third Party idp.
> That's why i am calling "Third Party" as an "IDP" which is similar to
> Shibboleth Idp. Is my assumption correct? Please correct me if i am wrong.

There should be no guesswork involved (so I won't guess).
Whether the third party deploys a SAML IDP or not (i.e., whether
they're able to send SAML response messages to SAML request messages)
is something you would ask them.

> If the third party is confimed as an IDP, Can i use "discover service" to
> integrate "Third Party" in the existing application(Shibboleth SSO)
> If i have to use the "discover service" to discover Idp(shibboleth or Third
> party), What is the main purpose of using "discovery Service", except
> finding which Idp it should redirects to authenticate.If it is the case, we
> can write our own discovery service, why to use shibboleth discovery?Please
> confirm my understanding.

Yes, to basically everything above. You could use one of the provided
discovery services, or roll your own. The discovery services provided
by the Shibboleth project are designed to deal with thousands of IDPs
in a scalable way (if needed), which is not your issue here.

For just 2 IDPs you could even create static links pointing to each
IDP, initiating the desired protocol exchange via whatever method your
SP (or IDPs) support.
Since the SP is not Shibboleth we can't really be more specific here,
of course.

> - If "third Party" is not considered as an Idp" how to integrate
> third party in our current application.

E.g. by having the organization responsible turn it into a SAML IDP
(so that you can keep relying on SAML for the protection of your
Or by extending your resource/application to also support whatever
(possibly home-grown) protocols the third party does support.
I'd certainly strongly prefer one method over the other.

More information about the users mailing list