Solicited and Unsolicited

Lohr, Donald lohrda at
Wed Apr 3 12:49:02 EDT 2019

We currently have 3 SP's that support two auth models that I will refer 
to as "Solicited" and "Unsolicited".

Solicited: Using the SP url, user is redirected to our IdP federated 
login page where our user would enter their loginID and password.

Unsolicited: Our users can login to another (on-prem) application, click 
a link and "leap-frog" (if you will) to one of these three SPs using an 
encrypted secret (which is an agreed SAML response).

My questions:

Say we have an application that only does LDAP auth (like a portal of 
sorts that does not use our IdP).  Is it possible for that application 
to send an unsolicited SAML response to our Shibboleth IdP (an agreed to 
response) that could be processed by the IdP as if the user did the 
normal solicited login?  At which point, could the normal "flow" (if you 
will) happen: 1) the user's loginID would be looked up in the LDAP 
directory for the required attributes 2) processed by the filter & 
replying party configuration 3) a normal SAML response generated 4) the 
user redirected to the said SP?


D o n a l d   L o h r
  I n f o r m a t i o n   S y s t e m s
  J a m e s   M a d i s o n   U n i v e r s i t y
  5 4 0 . 5 6 8 . 3 7 3 0

  DOS:  Bad command or file name
  bash: command not found

More information about the users mailing list