Solicited and Unsolicited

Peter Schober peter.schober at
Wed Apr 3 14:01:54 EDT 2019

* Lohr, Donald <lohrda at> [2019-04-03 18:49]:
> Say we have an application that only does LDAP auth (like a portal of sorts
> that does not use our IdP).  Is it possible for that application to send an
> unsolicited SAML response to our Shibboleth IdP (an agreed to response) that
> could be processed by the IdP as if the user did the normal solicited
> login?  At which point, could the normal "flow" (if you will) happen: 1) the
> user's loginID would be looked up in the LDAP directory for the required
> attributes 2) processed by the filter & replying party configuration 3) a
> normal SAML response generated 4) the user redirected to the said SP?

AFAIU what you want is "programmatic login" at the IDP, without
involving the the subject (or the subject visiting the IDP herself
with a web browser)? If so maybe SAML ECP could be an option.

Either way, the IDP only deals in SAML (or CAS or OIDC) outgoing, so
the protected resource would need to be modified to accept such
protocol messages instead of trying to impersonate the subject to an
LDAP server.

I.e., turning that portal into a SAML SP would be preferrable.
Of course if that portal impersonates the subject to other services as
well (e.g. to an IMAP or caldav service) those things wouldn't work as
the subject's password (as used at the IDP) is not available to SAML
SPs ordinarily (though it could be sent as a SAML attribute).


More information about the users mailing list