Can a Shibboleth service provider present itself as a SAML identity provider for federation?
peter.schober at univie.ac.at
Wed Apr 24 07:44:36 EDT 2019
* Graham Leggett <minfrin at sharp.fm> [2019-04-24 13:32]:
> I am currently struggling with a conceptual problem on how a
> federated Shibboleth integrates with an application that expects a
> SAML2 IDP.
> My application embeds pac4j-saml, and integrates with a single IDP,
> and this works great.
Then you have no need for the Shib SP, another SAML SP implementation.
(Or you could decide to forgo pac4j-saml and replace it with simply
relying on getRemoteUser() and request.getAttribute() calls.)
> I want to support multiple IDPs in a federation, and am struggling
> on how to configure this using Shibboleth.
You can't solve the deficiencies of one SAML SP implementation by
adding a second one.
> Can Shibboleth present itself as a federated SAML2 IDP? The
> documentation seems to suggest it can, but then stops short of
> telling me how.
No, the Shibboleth *IDP* can present itself as a SAML IDP (because it
is one), and /that/ could use a Shibboleth SP to provide
authentification (by providing REMOTE_USER from the web server), and
/that/ Shib SP could use those /other/ IDPs for authentfication and
attributes. Doable, yes. Sensible? Highly doubtful.
If you insist on using an incapable SAML implementation (pac4j-saml
should support multiple IDPs then none of this would be necessary)
then I'd suggest other tools specifically created for SAML proxying,
e.g. SaToSa ( https://idpy.org/projects/ )
More information about the users