I work in the IT service delivery team at University of Central Lancashire.
• AD FS
AD FS offers integrated ("invisble") authentication; Shibboleth requires explicit authentication.
We have lots of external service providers connected with Shibboleth.
1. Add Shibboleth as a relying party to AD FS.
2. Configure Shibboleth to use AD FS as an identity provider
• external relying party|service provider continues to send user to Shibboleth
• Shibboleth redirects [anonymous] users to AD FS for authentication
• AD FS authenticates (transparently on organisational devices)
• AD FS then redirects the browser back to Shibboleth
• Shibboleth adds any claims it needs for the external relying party
• Shibboleth redirects the browser back to the external relying party|service provider
Shiiboleth IdP supports an external authentication mechanism, described at…
IdPAuthExternal - Shibboleth 2 - Shibboleth Wiki
"This login handler requires additional code to be written in order to trigger the external authentication system. If you're simply looking to authenticate based on the presence of the REMOTE_USER header use the Remote User login handler."
I can’t write code!
Another option is…
IdPAuthRemoteUser - Shibboleth 2 - Shibboleth Wiki
But the page doesn’t really provide a full solution.
Long term, we should move service providers directly to AD FS. And we will, where possible. This is an intermediate fix.