I'm not totally clear what it is you're asking to do.
What I think you want is to authenticate shibboleth through ADFS so as to get SSO between the shibboleth world and the ADFS world (I'm assuming you're doing O365 that way)?
We have something akin to that.
6 months ago we decided that running the shib idp here was becoming increasingly burdensome and outsourced it to Overt Software. (It is _very_ cost effective). They have a module which passes authentication through to another SAML IdP, either ADFS or direct to Azure AD and provides SSO between SPs in the two worlds, it doesn't matter which you authenticate to first. https://www.overtsoftware.com/adfs-shibboleth-bridge/
We've found it to be brilliant.
We're not using ADFS though - we ditched it a year and a half ago and decided to ship the hash of the hash of the AD passwords up to Azure and do our authentication for O365 (and now an increasing number of SAML SPs) directly in the cloud, so this is where our Overt IdP authenticates. But the principal is the same.
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Anwar Mahmood
Sent: 27 March 2018 17:08
To: [log in to unmask]
Subject: Shibboleth - External Authentication to AD FS?
I work in the IT service delivery team at University of Central Lancashire.
AD FS offers integrated ("invisble") authentication; Shibboleth requires explicit authentication.
We have lots of external service providers connected with Shibboleth.
1.Add Shibboleth as a relying party to AD FS.
2.Configure Shibboleth to use AD FS as an identity provider
•external relying party|service provider continues to send user to Shibboleth
•Shibboleth redirects [anonymous] users to AD FS for authentication
•AD FS authenticates (transparently on organisational devices)
•AD FS then redirects the browser back to Shibboleth
•Shibboleth adds any claims it needs for the external relying party
•Shibboleth redirects the browser back to the external relying party|service provider
Shiiboleth IdP supports an external authentication mechanism, described at…
IdPAuthExternal - Shibboleth 2 - Shibboleth Wiki https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal
"This login handler requires additional code to be written in order to trigger the external authentication system. If you're simply looking to authenticate based on the presence of the REMOTE_USER header use the Remote User login handler."
I can’t write code!
Another option is…
IdPAuthRemoteUser - Shibboleth 2 - Shibboleth Wiki
But the page doesn’t really provide a full solution.
Long term, we should move service providers directly to AD FS. And we will, where possible. This is an intermediate fix.
The University of Dundee is a registered Scottish Charity, No: SC015096