Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Assistance with Integrating Shibboleth IDP with Azure AD

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Assistance with Integrating Shibboleth IDP with Azure AD


Chronological Thread 
  • From: Muhammad Farhan SJAUGI <farhan AT sifulan.my>
  • To: "Cantor, Scott" <cantor.2 AT osu.edu>
  • Cc: Andreas Theodorou <andreas.theodorou AT cynet.ac.cy>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
  • Subject: Re: [eduGAIN-discuss] Assistance with Integrating Shibboleth IDP with Azure AD
  • Date: Thu, 4 May 2023 20:35:45 +0800

Hi Scott,

What I meant was using shibboleth idp as azure ad's authenticator (not shibboleth idp as proxy idp to azure ad).

From my previous experience, when the windows machine would like to login to azure ad, the login page of shibboleth idp pop-up and asked the user to enter their username and password (for authentication purposes to OpenLDAP). After a successful authentication, azure ad failed to continue the authentication process due to some missing attributes. After further research, I found out that this attribute seems to only exist in ADFS.

If you ever encountered the same issue before and have a solution to make windows pc login to azure ad via shibboleth idp, would you mind sharing it?

Regards

--
Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.
VP (Engineering and Services)
SIFULAN Malaysian Access Federation
PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C
MBOT: GT20040131 |  ORCID: https://orcid.org/0000-0001-8497-1768



On Thu, May 4, 2023 at 8:23 PM Cantor, Scott <cantor.2 AT osu.edu> wrote:
The documentaton for any use of proxying is https://wiki.shibboleth.net/confluence/display/IDP4/SAMLAuthnConfiguration and there is nothing particularly special about using Azure other than it's lack of SAML compliance.

> Before I elaborate further, do you have any plan to authenticate windows
> machine to azure ad? If yes, then you may have a challenge to do so as
> shibboleth idp doesn’t support it.

Shibboleth supports SPNEGO and even if it didn’t, there couldn't possibly be anything the proxying IdP prevents the other IdP from doing with the client if it wants to.

-- Scott





Archive powered by MHonArc 2.6.24.

Top of Page