Can Shibboleth 3.4.x delegate authentication to another IDP(such as Azure B2C)

Claude Libois at
Thu Jul 16 15:37:59 UTC 2020

Thank for your answer.
Using shibboleth as SP in front of the IDP is an interesting idea.
I have found that there is a possibility to use the ExternalAuthentication
but I would have to manually handle the whole SAML flow...
The SAML Proxy login flow is clearly the cleaner solution. However, Our
planning is too short and risky to do a migration from 3.4.1 to 4.x. I will
check with our infrastructure however.
I will also check if by any chance this feature have been back-ported(or if
I can backport it).
Thank you very much for your tips.

Le jeu. 16 juil. 2020 à 16:49, Peter Schober <peter.schober at> a
écrit :

> * Claude Libois < at> [2020-07-16 16:35]:
> > However, our architect claims that since version 3.3.x it's possible
> > that shibboleth transfer the authentication to an external IDP.
> Not sure what that refers to specifically but any Shibboleth IDP can
> be used in such a manner by protecting its SSO endpoints with a SAML
> SP (e.g. of the Shibboleth implementation) and hooking that SP up to
> the external IDP.
> To make that even easier IDPv4 mentions a "SAML proxy login flow"
> under "Noteworthy New Features" as part of its Release Notes:
> Since you'll have to upgrade your IDPv3 to v4 anyway before the end of
> the year (when support for IDPv3 will end) you might as well upgrade
> now and make use of that new feature.
> -peter
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list