How to setup remote auth

Peter Schober peter.schober at
Wed Mar 4 12:18:08 EST 2020

* Chris <alexseedkou at> [2020-03-03 20:05]:
> 1) User log in an external IDP
> 2) This external IDP provide some information of this user to shibboleth
> like uid and the SP which the user is trying to access
> 3) After the shibboleth idp receive this information, it will call another
> web application to get some other attribute of this user like group
> information, after that shibboleth will send the SAML response to the SP
> 4) The user can successfully access the SP

Ignoring step 3 (for which the IDP has support in the form of
DataConnectors; whether the existing ones match your use case depends
on details you're not sharing above) I think this all depends on the
nature and protocols/interfaces of the "external IDP".

In SAML IDPs don't talk to IDPs directly so there probably has to be
some SAML proxying involved, e.g. by setting up a Shib SP to protect
the Shib IDPs endpoints and in turn use the "external IDP" as SAML IDP
which then prompts the subject for authentication.
The fact that you start at the IDP may or may not make this more
difficult (if that means the IDP doesn't support SP-initiated SSO).

Of course the protcol between the "external IDP" and the part that
protects the IDP's SSO endpoints don't have to be SAML. They could be


More information about the users mailing list