ForceAuthn and RemoteUser handler
cantor.2 at osu.edu
Mon Oct 30 09:25:29 EDT 2017
> Would updating the config in this way work?
Yes, it works. There are those who obviously wouldn't take kindly to that, and I think a better strategy longer term is just to request a feature to essentially override settings like this in a request. It's ugly, but if that's what it takes to make these ignorant systems function properly then so be it I guess. Better than lying to everybody else.
There are some additional needs I think like being able to configure multiple copies of a login flow targeted to different relying parties without having to actually copy web flows.
> 2) Configure Shibboleth IDP to use another SAML2 IDP for upstream
Why would that help? And no, there is no support for that.
> 3) Reconfigure the IDP to do the AuthN itself to LDAP
> Not high on my list of things I'd like to do as it would break the SSO
> model we currently use internally and would require a bunch of comms to
> users to warn them the login screen for some services is going to change
I think you should strongly consider picking one SSO system. If not Shibboleth, that's fine, but running two is just not in anybody's long term interest.
More information about the users