Solicited and Unsolicited

[Nate Klingenstein]

Donald,

I think there's either a typo or misunderstanding in your message, but...

> Say we have an application that only does LDAP auth (like a portal of 
> sorts that does not use our IdP).  Is it possible for that application 
> to send an unsolicited SAML response to our Shibboleth IdP (an agreed to 
> response) that could be processed by the IdP as if the user did the 
> normal solicited login?

LDAP authentication is its own beast with its own protocol.  If the application were capable of triggering an unsolicited assertion, that's effectively SP-initiated SSO anyway, so I would encourage you to follow the standards and just have it issue an AuthnRequest.  It would be possible to shortcraft a link that contained an Unsolicited login link, but I would consider that inadvisable, and it's not going to help with the problem in the first case.

Also, at no point will a SAML response in the traditional assertion sense be processed by the IdP.  An AuthnRequest may be what you intended.  An unsolicited login is effectively a synthetically crafted AuthnRequest made by the IdP.

What you would need is some kind of a shim that is capable of speaking SAML on one end and LDAP on the other.

> At which point, could the normal "flow" (if you 
> will) happen: 1) the user's loginID would be looked up in the LDAP 
> directory for the required attributes 2) processed by the filter & 
> replying party configuration 3) a normal SAML response generated 4) the 
> user redirected to the said SP?

Basically, yes, but it's up to the application to be capable of using the data.

Take care,
Nate.