> AD FS offers integrated ("invisble") authentication;
Can you expand? Do you mean SpNEGO? If so. Also, what sort of ADFS? I don't follow that particular trail but ISTR that ADFS classic is being retired in the face of some funky cloudy Azure offering...
> Shibboleth requires explicit authentication.
Also offers it. [1]
If you don't mean SPNego than can you expand? I assume ADFS doesn’t just say "yes" to everyone.
> 2. Configure Shibboleth to use AD FS as an identity provider
Yes, "just" configure it for remote user [2]
> • Shibboleth adds any claims it needs for the external relying party
This sounds a bit magical. How do you intend doing per principal claims?
[1] https://wiki.shibboleth.net/confluence/display/IDP30/SPNEGOAuthnConfiguration
[2] https://wiki.shibboleth.net/confluence/display/IDP30/RemoteUserAuthnConfiguration
> Any ideas…?
I'd investigate SPNego. But that’s where my comfort is. You should probably investigate RemoteUSer since your comfort appears to be with ADFS...
/R
|