Crafted url for Idp initiated sso that includes discovery service?

Cantor, Scott cantor.2 at osu.edu
Tue Jan 17 10:22:28 EST 2017


> We have a vendor that is only supporting an IDP initiated sso connection to
> their app. This app will be accessed by several of our federated schools that
> make use of our centralized discovery service. I was wondering if there was a
> way to craft a link that inserts the discovery service into the process so we
> could use one link for all schools.

The only defined DS pattern in Shibboleth involves the SP, it doesn't dispatch to IdPs directly, because of all the inherent problems with IdP-initiated flows. So nothing stops you, but this isn't a discovery service in the sense it's formally defined by us.

> Let me know if I'm even on the right track with this type of link or am I
> barking up the wrong tree?

The old WAYF hack is not a discovery service, it redirects directly to IdPs. Just build a redirector that does the same thing but to the proprietary SAML 2 endpoint at the IdP.

-- Scott




More information about the users mailing list