Can Shibboleth 3.4.x delegate authentication to another IDP(such as Azure B2C)

Claude Libois at
Fri Jul 17 04:57:23 UTC 2020

In the professional world things are way more complicated.
TBH, a decision has been taken to go out of Shibboleth and aim to run only
on azure B2C(lack of openidconnect support is a huge problem). This last
work is an attempt to provide a federation between azure B2C to keep an SSO
between old and new applications.
Moreover, I have to evaluate this "bridge" in only 4 days...
So I do agree that in the best world,
- with an infinite time and budget
- no organizational constraints,
- full understanding from the top management that we have to make long term
 migration to IDP4 is the best bet. However, this world doesn't exist and
I'm just able to do the best I can.
So don't kill the messenger ;-). I'm just an external consultant who hasn't
the power to influence the whole way of working of my client.

Le jeu. 16 juil. 2020 à 23:58, Peter Schober <peter.schober at> a
écrit :

> * Claude Libois < at> [2020-07-16 17:38]:
> > The SAML Proxy login flow is clearly the cleaner solution. However, Our
> > planning is too short and risky to do a migration from 3.4.1 to 4.x. I
> will
> > check with our infrastructure however.
> You did see my remark (or official announcements) that IDP v3 will be
> EOL'd and out of support by the end of the year? (Of course v3.4.1 is
> also out of support, current is 3.4.6. If any security bugs were
> discovered you'd have to update to a current version there, too.)
> Would you prefer to be pressured into a "short and risky migration" to
> v4 should a critical security issue be discovered in the near future
> (or be left vulnerable with a system you can't update within a few
> hours/days)?
> > I will also check if by any chance this feature have been
> > back-ported (or if I can backport it).
> You really think backporting significant new features from IDPv4 to v3
> yourself is a good idea[1]? Did you even look at the documentation for
> the parts involved? And you think this would be easier than upgrading
> your v3 system to v4 (or just putting an SP in front of your
> unmodified IDP)? Good luck!
> -peter
> [1] Even if you were successful in such an endeavor (as far as you
> know) you'd consequently be running code noone else in the world is
> running, for a security service, after all. If obscurity worked that'd
> probably be a very secure system.
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list