Can Shibboleth 3.4.x delegate authentication to another IDP(such as Azure B2C)

[Claude Libois]

Thank for your answer.
Using shibboleth as SP in front of the IDP is an interesting idea.
I have found that there is a possibility to use the ExternalAuthentication
but I would have to manually handle the whole SAML flow...
The SAML Proxy login flow is clearly the cleaner solution. However, Our
planning is too short and risky to do a migration from 3.4.1 to 4.x. I will
check with our infrastructure however.
I will also check if by any chance this feature have been back-ported(or if
I can backport it).
Thank you very much for your tips.
Regards,
Claude

Le jeu. 16 juil. 2020 à 16:49, Peter Schober <peter.schober at univie.ac.at> a
écrit :

> * Claude Libois <clibois.work at gmail.com> [2020-07-16 16:35]:
> > However, our architect claims that since version 3.3.x it's possible
> > that shibboleth transfer the authentication to an external IDP.
>
> Not sure what that refers to specifically but any Shibboleth IDP can
> be used in such a manner by protecting its SSO endpoints with a SAML
> SP (e.g. of the Shibboleth implementation) and hooking that SP up to
> the external IDP.
>
> To make that even easier IDPv4 mentions a "SAML proxy login flow"
> under "Noteworthy New Features" as part of its Release Notes:
> https://wiki.shibboleth.net/confluence/display/IDP4/ReleaseNotes
>
> Since you'll have to upgrade your IDPv3 to v4 anyway before the end of
> the year (when support for IDPv3 will end) you might as well upgrade
> now and make use of that new feature.
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200716/4339c30d/attachment.htm>