Can a Shibboleth service provider present itself as a SAML identity provider for federation?

Peter Schober peter.schober at
Wed Apr 24 07:44:36 EDT 2019

* Graham Leggett <minfrin at> [2019-04-24 13:32]:
> I am currently struggling with a conceptual problem on how a
> federated Shibboleth integrates with an application that expects a
> My application embeds pac4j-saml, and integrates with a single IDP,
> and this works great.

Then you have no need for the Shib SP, another SAML SP implementation.
(Or you could decide to forgo pac4j-saml and replace it with simply
relying on getRemoteUser() and request.getAttribute() calls.)

> I want to support multiple IDPs in a federation, and am struggling
> on how to configure this using Shibboleth.

You can't solve the deficiencies of one SAML SP implementation by
adding a second one.

> Can Shibboleth present itself as a federated SAML2 IDP? The
> documentation seems to suggest it can, but then stops short of
> telling me how.

No, the Shibboleth *IDP* can present itself as a SAML IDP (because it
is one), and /that/ could use a Shibboleth SP to provide
authentification (by providing REMOTE_USER from the web server), and
/that/ Shib SP could use those /other/ IDPs for authentfication and
attributes. Doable, yes. Sensible? Highly doubtful.

If you insist on using an incapable SAML implementation (pac4j-saml
should support multiple IDPs then none of this would be necessary)
then I'd suggest other tools specifically created for SAML proxying,
e.g. SaToSa ( )


More information about the users mailing list