Can a Shibboleth service provider present itself as a SAML identity provider for federation?

Graham Leggett minfrin at
Wed Apr 24 07:31:58 EDT 2019

Hi all,

I am currently struggling with a conceptual problem on how a federated Shibboleth integrates with an application that expects a SAML2 IDP.

My application embeds pac4j-saml, and integrates with a single IDP, and this works great.

I want to support multiple IDPs in a federation, and am struggling on how to configure this using Shibboleth.

The pac4j-saml applications expects to be given a metadata containing an IDPSSODescriptor tag. Shibboleth service provider metadata is presenting a SPSSODescriptor tag, and the two don’t chat.

Conceptually, what am I doing wrong?

Can Shibboleth present itself as a federated SAML2 IDP? The documentation seems to suggest it can, but then stops short of telling me how.

Can anyone fill me in?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3260 bytes
Desc: not available
URL: <>

More information about the users mailing list