Can a Shibboleth service provider present itself as a SAML identity provider for federation?

Peter Schober peter.schober at
Wed Apr 24 11:09:34 EDT 2019

* Graham Leggett <minfrin at> [2019-04-24 16:56]:
> We definitely in a position to replace it - the question is what to
> replace it with.

The Shib SP may not fit every deployment preference on the planet but
it is the most capable and flexible SAML implementation on the planet.
So you could do worse.

> Can Shibboleth pass metadata to an application behind Shibboleth
> using something like JWT?

It should be even simpler, all you need is Apache httpd (or Nginx, if
you're fine with compiling that yourself, or lighttpd) on the same
machine as your Java servlet container and use AJP or HTTP Request
Headers to pass through the decrypted, decoded, formatted data to your
application envionment.

If the webserver cannot live on the same machine as the Java for good
reasons (assuming such exist) then yes, there's a third-party
contribution that does exactly what you're asking for above.

Personally I have no need for this: I have the resource behind Apache
httpd one way or another (AJP tunnelling or HTTP reverse proxying).

More information about the users mailing list