Azure as an IdP, Shibboleth as an SP.

Jeffrey Williams jfwillia at
Mon Apr 22 14:36:35 EDT 2019


Today we have Shibboleth as our primary IdP.  We integrate with Azure
acting as an SP for O365 and portal access, as well as Slack and Service
Now(Everything else is federated or integrated directly against shib).  So
a user logging into a service integrated with Azure does HRD, is redirected
to Shib, authenticates, then is returned to Azure, who translates the shib
SAML assertion/session into Azure ones and allows the user to log in.

I've been asked about the feasibility of adjusting the process, where Azure
becomes the primary IdP and all SSO requests going to Shib are redirected
to Azure for authentication, then the returning assertion is repackaged as
a shib assertion and returned to the SP.  Azure-integrated services would
go back to the SP after AZ authn.

Is that something that is possible with Shibboleth today?  If so, what is
the best way to go about this?

Jeffrey Williams
Identity Engineer
Identity & Access Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list