Fallback to secondary sign on

[Michael]

Hi,

We have been using shibboleth for a while but only with a single IdP at any one time... What we want to be able to do is provide a fall back authentication service for users who are not on the enterprise IDP (which is way out of our control).

We have an application deployed using Apache Tomcat and secured by Shibboleth as a Service Provider. 95% of the users are on an enterprise wide windows 10 desktop infrastructure that uses Microsoft Active Directory. We use Microsoft ADFS as the IDP to connect to the Shibboleth SP on the application platform. All users from this domain having been pre-authenticated.

What we need is a slick way of allowing the 5% of users who come from non Domain joined infrastructure to sign in. We have local LDAP directories we can put the accounts in we just need way of redirecting the access of non domain users to these accounts whenever they hit the shibboleth protected URL. Either through a redirect directly to them or even via a static HTML page that says 'Hey! you need to sign in - click the URL here!'. Any ideas? (we could give them another URL for secondary sign on first but we are trying to avoid having to publish a second URL) I have been trawling through the documentation but nothing clicks (I am a bit of a newbie though).

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220131/00a517b9/attachment.htm>