 |
 |
Our cloud Shib IdP authenticates against Azure, but not oidc, it does it using SAML . We also have several other things both on-prem and cloud authenticating using SAML against Azure. E.g. our on-prem Blackboard which uses the Shibboleth SP now authenticates against Azure (we moved it from Shibboleth), ditto SITS eVision and a few other things. When a user authenticates to a shibboleth resource they get redirected to the O365 login screen, but not if the user is already directly authenticated to Azure (O365 etc). Hence we get SSO between Shib resources and Azure resources, it doesn't matter which one you go to first. They've just rolled out the new windows 10 student desktop and they're all Azure joined - so now there's no browser authentication needed at all - if you login to one of those machines you're into everything by SSO anyway, using either Edge IE or Chrome. Cheers Andy -----Original Message----- From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young Sent: 01 November 2018 13:01 To: [log in to unmask] Subject: SAML/OIDC auth Has anyone delegated IdP authentication to OIDC? in particular a Micrososft Azure STS? We have two 'SSO' routes, one SAML, the other Azure OIDC and of course they don't talk to each other but they could if the IdP was registered as an Azure tenant app and switched from LDAP to OIDC for authentication. So in a typical SAML WBSSO flow, there would be an extra redirect to send the user to the STS and back rather than present a login page for local LDAP authentication. SAML would continue once the claims had come back from the STS in the browser. I was wondering if anyone has seen this before or whether the I2 IdP supports such an 'sso bridge'? I see there's something called Okta which seems to be very complicated and very expensive but I'd prefer if the IdP could just use the Azure STS for its authentication. thanks, Alistair ######################################################################## To unsubscribe from the JISC-SHIBBOLETH list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1 The University of Dundee is a registered Scottish Charity, No: SC015096 ######################################################################## To unsubscribe from the JISC-SHIBBOLETH list, click the following link: https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1