ForceAuthn and RemoteUser handler

Matthew Slowe M.Slowe at
Mon Oct 30 16:08:36 EDT 2017

On Mon, Oct 30, 2017 at 01:25:29PM +0000, Cantor, Scott wrote:
> > Would updating the config in this way work?
> Yes, it works. There are those who obviously wouldn't take kindly to
> that, and I think a better strategy longer term is just to request a
> feature to essentially override settings like this in a request. It's
> ugly, but if that's what it takes to make these ignorant systems
> function properly then so be it I guess. Better than lying to
> everybody else.

This IDP instance is only talking to MS so I don't mind *quite* so much

> > 2) Configure Shibboleth IDP to use another SAML2 IDP for upstream
> > authentication
> Why would that help? And no, there is no support for that.

My thinking was that the Shibboleth IDP could handle the ForceAuthn fine
and pass on the actual authentication like it can do for things like

> > 3) Reconfigure the IDP to do the AuthN itself to LDAP
> > 
> > Not high on my list of things I'd like to do as it would break the SSO
> > model we currently use internally and would require a bunch of comms to
> > users to warn them the login screen for some services is going to change
> > etc.
> I think you should strongly consider picking one SSO system. If not
> Shibboleth, that's fine, but running two is just not in anybody's long
> term interest.

We did... we chose SimpleSAMLphp as our central SSO but have had to hang
Shibboleth off to the side to cope with Office365... this seemed like
the most elegant solution to keeping it seamless until recently.

Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265 | @UnikentUnseenIT | @UKCLibraryIt

More information about the users mailing list