Multiple authentication with same IdP - multiple app - Shibboleth as SP

Peter Schober peter.schober at
Mon Nov 4 10:59:23 EST 2019

* uday.chandra.kumar <uday.chandra.kumar at> [2019-11-04 16:30]:
> In our case, both apps are on different servers. We would be loading second
> app i.e. app2 using an iFrame inside app1's page once user gets
> authenticated by the IdP (common to both app1 and app2).

I'd avoid iframes (and other frames) at all costs. Those completely
break if third party-cookies are disabled in the web browser, for
example (which they should be universally, IMO).

> I came across 'isPassive' (URL:
> Can we not
> use this in below implementation?

You can use it, it just won't solve the problem you said you had,

> Since user has already logged into the app1 after getting authenticated at
> IdP, can 'isPassive' be of our help? Please correct me if my understanding
> is wrong and let us know what necessary things do we need to have to get
> user auto-logged in into the second app i.e.app2.

You started this thread with the claim that the IDP is prompting the
subject to enter their credentials again instead of providing an SSO
experience. How is sending "isPassive" then supposed to avoid this?

If the IDP was configured to not provide SSO (or the subject's SSO
session had expired) and you're telling the IDP to not show any UI
elements to the subject (by using isPassive) the IDP can only return
an error to the SP (or terminate processing, I guess), no?

"isPassive" is not a means to force an IDP to provide SSO when
otherwise (lacking isPassive in the authn request) it wouldn't.


More information about the users mailing list