An open discussion list for topics related to the eduGAIN interfederation service.

[Muhammad Farhan SJAUGI <farhan AT sifulan.my>]

Hi Scott,

What I meant was using shibboleth idp as azure ad's authenticator (not shibboleth idp as proxy idp to azure ad).

From my previous experience, when the windows machine would like to login to azure ad, the login page of shibboleth idp pop-up and asked the user to enter their username and password (for authentication purposes to OpenLDAP). After a successful authentication, azure ad failed to continue the authentication process due to some missing attributes. After further research, I found out that this attribute seems to only exist in ADFS.

If you ever encountered the same issue before and have a solution to make windows pc login to azure ad via shibboleth idp, would you mind sharing it?

Regards

--

Ts. Muhammad Farhan Sjaugi, S.Kom. M.Sc.

VP (Engineering and Services)

SIFULAN Malaysian Access Federation

Email: farhan AT sifulan.my | Website: https://www.sifulan.my

PGP Fingerprint: 9AA0 1861 0921 3EBD 4E30 716A 1F71 FC55 49CD D06C

MBOT: GT20040131 |  ORCID: https://orcid.org/0000-0001-8497-1768

On Thu, May 4, 2023 at 8:23 PM Cantor, Scott <cantor.2 AT osu.edu> wrote:

The documentaton for any use of proxying is https://wiki.shibboleth.net/confluence/display/IDP4/SAMLAuthnConfiguration and there is nothing particularly special about using Azure other than it's lack of SAML compliance.

> Before I elaborate further, do you have any plan to authenticate windows
> machine to azure ad? If yes, then you may have a challenge to do so as
> shibboleth idp doesn’t support it.

Shibboleth supports SPNEGO and even if it didn’t, there couldn't possibly be anything the proxying IdP prevents the other IdP from doing with the client if it wants to.

-- Scott