Automatic logon using Windows AD credential without having to re-enter username and password at IdP

Prashanth Patali patali at
Wed Jun 24 16:41:36 UTC 2020

Thanks, Peter.

Reason the customer is pushing us is - there is another cloud hosted
application which also uses SAML protocol (I don't know if they use
Shibboleth SP or not). And authentication for that application happens
seamlessly using the local domain credentials. Customer is not ready to add
my application (which is hosted on cloud) to the 'Trusted Site' list of
browser - and he confirms this other application also is not in the
'Trusted Site' list of browser.

As this other application is able to do auto logon - I assume SPNEGO might
have been configured properly at IdP.

There is an interesting behaviour I observed - if the IdP URL is added to
the 'Local Intranet' list of the browser. This ensures that the local AD
credential is presented to IdP. Browser redirects to IdP, IdP recognize
credential and perform auto logon (username & password screen is not
displayed). However, once the browser redirects back to SP, the SAML
response fails and SP has the following error in the shibd.log file. I can
see browser being forced to redirect back to IdP and back to SP, a couple
of times and then fails with browser error shown below.

shibd.log file:
2020-06-22 12:01:25 WARN Shibboleth.SSO.SAML2 [9] [default]: error
processing incoming assertion: SAML response reported an IdP error.

Error displayed to user in browser:
 Server Error
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be

Why is SP not accepting the SAML response when user credentials were
accepted by the IdP? Is IDP expecting some signalling from the SP? Should I
be configuring something in SP to allow or signal the authentication

On Wed, Jun 24, 2020 at 9:12 PM Peter Schober <peter.schober at>

> * Prashanth Patali <patali at> [2020-06-24 17:32]:
> > When the user navigates to my application URL, the browser properly
> > redirects to IdP and is presented with a username and password
> > screen.
> This pretty clearly shows that it's the IDP that should be doing
> something differently (SPNEGO, instead of forms-based authn), no?
> With SAML WebSSO as the protocol between the SP and the IDP the SP
> sends the browser on to the IDP (with optional signalling about authn
> methods, but mentioning that will probably only add confusion
> here). How the IDP performs authentication is then up the IDP.
> Probably the brwosers are not set up for SPNEGO with the IDP, or
> something along those lines. Basically the SP is the only part that
> has no role here, it's all between the web browser and the IDP.
> -peter
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list