Can a Shibboleth service provider present itself as a SAML identity provider for federation?

Peter Schober peter.schober at
Wed Apr 24 10:44:46 EDT 2019

* Graham Leggett <minfrin at> [2019-04-24 16:19]:
> For the record, we have an existing turnkey application that uses
> Apache Shiro, and in turn pac4j-saml to talk to one IDP (and one IDP
> only). The use of pac4j-saml is simply our starting point, we are in
> no way “insisting” that it be used, and are just asking what bits we
> need to swap out to make this work.

That's fine and from what I heard pac4j-saml seemed quite capable.
That it doesn't support more than one IDP sucks (though that isn't all
that uncommon) and that's why you should replace it, if that's doable.
Doing that (instead of adding a proxy) should provide better security
and more protocol fidelity.

> Our requirement is to add the option of supporting a second IDP. Is
> Shibboleth able to do this?

Several thousands, happily.


More information about the users mailing list