Can Shibboleth 3.4.x delegate authentication to another IDP(such as Azure B2C)

Peter Schober peter.schober at
Thu Jul 16 21:58:40 UTC 2020

* Claude Libois < at> [2020-07-16 17:38]:
> The SAML Proxy login flow is clearly the cleaner solution. However, Our
> planning is too short and risky to do a migration from 3.4.1 to 4.x. I will
> check with our infrastructure however.

You did see my remark (or official announcements) that IDP v3 will be
EOL'd and out of support by the end of the year? (Of course v3.4.1 is
also out of support, current is 3.4.6. If any security bugs were
discovered you'd have to update to a current version there, too.)

Would you prefer to be pressured into a "short and risky migration" to
v4 should a critical security issue be discovered in the near future
(or be left vulnerable with a system you can't update within a few

> I will also check if by any chance this feature have been
> back-ported (or if I can backport it).

You really think backporting significant new features from IDPv4 to v3
yourself is a good idea[1]? Did you even look at the documentation for
the parts involved? And you think this would be easier than upgrading
your v3 system to v4 (or just putting an SP in front of your
unmodified IDP)? Good luck!

[1] Even if you were successful in such an endeavor (as far as you
know) you'd consequently be running code noone else in the world is
running, for a security service, after all. If obscurity worked that'd
probably be a very secure system.

More information about the users mailing list