Solicited and Unsolicited

[Cantor, Scott]

On 4/3/19, 4:51 PM, "users on behalf of Lohr, Donald" <users-bounces at shibboleth.net on behalf of lohrda at jmu.edu> wrote:

> Without disclosing too much.

I had a pretty clear idea.

There's no way to do this out of the box, which is probably what you were asking. And I don't think I would do it the way you were speculating even if we did something like this. SAML wouldn't be the mechanism of choice, the system on the other end would not be trustworthy to pull that off.

We don't have a token-based authentication flow at this point. Some kind of OAuth flow is inevitable but there's nothing like that yet.

And I concur with Nate: this is a bad idea. Suck it up and just login a second time if need be, or convince the other system to stop doing LDAP authn, which sounds pointless in this scenario. Protecting links to other systems is what people with no understanding of the web do. Lock them in a closet and feed them occasionally, but don't let them make decisions.

-- Scott