Integrate 3rd party as one more Identity Provider

Surinaidu Majji pioneer.suri at
Mon May 4 09:25:12 EDT 2015

On Mon, May 4, 2015 at 5:48 PM, Peter Schober <peter.schober at>

> * Surinaidu Majji <pioneer.suri at> [2015-05-04 08:12]:
> > We have a "Third Party" which will have its own database and
> authentication
> > service. Because of the following components i am assuming the 3rd party
> as
> > one more "IDP" like shibboleth Idp.
> >  1) "Third Party" will give its own "login.jsp" if the user accessed the
> > application is not authenticated.
> >  2) It has its own database to authenticate the credentials entered in
> the
> > login page.
> >  3) It will give the "Token" and required user information once the user
> is
> > authenticated at Database.
> >  4) The token will be stored at application side(SP) to identify the user
> > when he access the application second time without going to Third Party
> idp.
> >
> > That's why i am calling "Third Party" as an "IDP" which is similar to
> > Shibboleth Idp. Is my assumption correct? Please correct me if i am
> wrong.
> There should be no guesswork involved (so I won't guess).
> Whether the third party deploys a SAML IDP or not (i.e., whether
> they're able to send SAML response messages to SAML request messages)
> is something you would ask them.
  - - We know the 3rd party will not support any SAML format. So I think
they will not send SAML responses. They will only accept requests with in
the XML format. If we say "3rd party" as an IDP then only i can use
discovery service from shibboleth. Please give a brief idea about this.

> > If the third party is confimed as an IDP, Can i use "discover service" to
> > integrate "Third Party" in the existing application(Shibboleth SSO)
> > If i have to use the "discover service" to discover Idp(shibboleth or
> Third
> > party), What is the main purpose of using "discovery Service", except
> > finding which Idp it should redirects to authenticate.If it is the case,
> we
> > can write our own discovery service, why to use shibboleth
> discovery?Please
> > confirm my understanding.
> Yes, to basically everything above. You could use one of the provided
> discovery services, or roll your own. The discovery services provided
> by the Shibboleth project are designed to deal with thousands of IDPs
> in a scalable way (if needed), which is not your issue here.
> For just 2 IDPs you could even create static links pointing to each
> IDP, initiating the desired protocol exchange via whatever method your
> SP (or IDPs) support.
> Since the SP is not Shibboleth we can't really be more specific here,
> of course.
>    - As per our current requirement we need to work with only 2 idp's, May
be in the future it might be extended to one more.
I went through all the discovery services provided by shibboleth, I have
the following observations.
   a) Embede discovery service which is will be hosted on the server along
with the SP. It suits for us but "Strongly recommanded to use Shibboleth
SP", So we have our own SP.
  b)  Centralized discovery service which is for federation level which
will be hosted on the different place, but here we only use 2 idp's that to
in the same organization.

By above observations, We are thinking that we can not use shibboleth
discovery service, Please let me know your suggestion on this.

 initiating the desired protocol exchange via whatever method your
SP (or IDPs) support.
What is meant by protocol exchange here?

> > - If "third Party" is not considered as an Idp" how to integrate
> > third party in our current application.
> E.g. by having the organization responsible turn it into a SAML IDP
> (so that you can keep relying on SAML for the protection of your
> resources).
> Or by extending your resource/application to also support whatever
> (possibly home-grown) protocols the third party does support.
> I'd certainly strongly prefer one method over the other.

- if the above is conformed as not an IDP, then only i can go for this
 Here we will go with  whatever
(possibly home-grown) protocols the third party does support.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list