Pass authentication to another application

Nate Klingenstein ndk at
Mon Sep 17 17:13:08 EDT 2018


It sounds like you want to basically act as an authentication proxy for the
other application.  You'll certainly need to know what protocols they

A conventional approach would be to run a Shibboleth IdP protected by your
Shibboleth SP that re-asserts the authentication information you received
from the Ping Federate IdP to the application using SAML 2.0 as the

The actual link in your application could directly trigger an "unsolicited"
assertion of information and a destination landing page after the SAML
transaction has completed.

Or, you could link directly to their service and have it issue an
authentication request to your Shibboleth IdP, which would issue an
assertion in response.  That is generally preferable.

Take care,

On Mon, Sep 17, 2018 at 2:51 PM, Rob Brooks <rbrooks at>

> Hello, I use shibboleth SP to authenticate against a PING Federated IdP
> (not in my control) for my web application.  I want to provide a link in my
> application that then passes this authentication on to another
> application.  Can you help me to understand this process flow?  The 3rd
> party application that needs authentication has its own SSO SP (not sure of
> product) and I have the ear of their developers and can suggest workflow.
> The Ping Federated server would be harder to implement change with.
> Thanks,
> Rob Brooks
> --
> For Consortium Member technical support, see
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list