Automatic logon using Windows AD credential without having to re-enter username and password at IdP

Peter Schober peter.schober at
Wed Jun 24 17:18:11 UTC 2020

* Prashanth Patali <patali at> [2020-06-24 18:42]:
> Reason the customer is pushing us is - there is another cloud hosted
> application which also uses SAML protocol (I don't know if they use
> Shibboleth SP or not). And authentication for that application happens
> seamlessly using the local domain credentials.

FWIW, all the SAML bits that other SP sends should be visible in your
web browser using the SAMLtracer browser extension, for example.
That way you can rule out that it's something in the SAML (and
therefore: in your SP) that causes this difference in behaviour at the

> There is an interesting behaviour I observed - if the IdP URL is
> added to the 'Local Intranet' list of the browser. This ensures that
> the local AD credential is presented to IdP. Browser redirects to
> IdP, IdP recognize credential and perform auto logon (username &
> password screen is not displayed).

Like I said, it's all between the browser and the IDP.

> However, once the browser redirects back to SP, the SAML
> response fails and SP has the following error in the shibd.log file.
> 2020-06-22 12:01:25 WARN Shibboleth.SSO.SAML2 [9] [default]: error
> processing incoming assertion: SAML response reported an IdP error.
> Error displayed to user in browser:
>  Server Error
> 500 - Internal server error.
> There is a problem with the resource you are looking for, and it cannot be
> displayed.
> :2.0:status:Responder

The log you quote is a WARNing message, the browser message references
an error. I'd have assumed that the SP log will also have an
ERROR-level message, then?
Maybe you'd have to increase logging to DEBUG.
(I don't know off-hand if the error response from the IDP to your SP
would have been encrypted or not, if not you'll also see it verbatim
in the browser using SAMLtracer.)

> Why is SP not accepting the SAML response when user credentials were
> accepted by the IdP? Is IDP expecting some signalling from the SP? Should I
> be configuring something in SP to allow or signal the authentication
> methods?

A "Responder" status here means the IDP sent a SAML error message back
to your SP. Why the IDP did that you'd have to know the whole error
response and then likely also ask the IDP.


More information about the users mailing list