Can Shibboleth 3.4.x delegate authentication to another IDP(such as Azure B2C)

Peter Schober peter.schober at
Thu Jul 16 14:48:52 UTC 2020

* Claude Libois < at> [2020-07-16 16:35]:
> However, our architect claims that since version 3.3.x it's possible
> that shibboleth transfer the authentication to an external IDP.

Not sure what that refers to specifically but any Shibboleth IDP can
be used in such a manner by protecting its SSO endpoints with a SAML
SP (e.g. of the Shibboleth implementation) and hooking that SP up to
the external IDP.

To make that even easier IDPv4 mentions a "SAML proxy login flow"
under "Noteworthy New Features" as part of its Release Notes:

Since you'll have to upgrade your IDPv3 to v4 anyway before the end of
the year (when support for IDPv3 will end) you might as well upgrade
now and make use of that new feature.


More information about the users mailing list