ForceAuthn and RemoteUser handler

[Cantor, Scott]

> Would updating the config in this way work?

Yes, it works. There are those who obviously wouldn't take kindly to that, and I think a better strategy longer term is just to request a feature to essentially override settings like this in a request. It's ugly, but if that's what it takes to make these ignorant systems function properly then so be it I guess. Better than lying to everybody else.

There are some additional needs I think like being able to configure multiple copies of a login flow targeted to different relying parties without having to actually copy web flows.

> 2) Configure Shibboleth IDP to use another SAML2 IDP for upstream
> authentication

Why would that help? And no, there is no support for that.

> 3) Reconfigure the IDP to do the AuthN itself to LDAP
> 
> Not high on my list of things I'd like to do as it would break the SSO
> model we currently use internally and would require a bunch of comms to
> users to warn them the login screen for some services is going to change
> etc.

I think you should strongly consider picking one SSO system. If not Shibboleth, that's fine, but running two is just not in anybody's long term interest.
 
-- Scott