ADFS and Shibboleth auto sign in

Question

I'm new to Identity Assertion Provider (IdP) and the hole Single sign-on (SSO) architecture.

Today we have a SharePoint 2010 application that has claims authentication in place. The environment or the flow of the sign-on is as follow:

SharePoint <-> Azure AC <-> ADFS <-> Shibboleth

This works and the SSO is working correctly. We now want to auto sign in the user by getting the Security Assertion Markup Language (SAML) response from a different source (not Shibboleth).

SharePoint <-> Azure AC <-> ADFS <- REST (Different client then the users client) <-> Shibboleth.

We will receive the SAML as header or plain text.

What I want to do now is to set or validate the user in Active Directory Federation Service (ADFS) based on the response from the Representational state transfer (REST) service. What we are missing is the idp_session cookie from Shibboleth which is set on the client, in this case the REST service host.

The (REST) service host is performing a normal sign in to Shibboleth.

Does anyone know a good tutorial, or what to search for to achieve this? Is it even possible?

The application that gets the REST response is on the same domain as Shibboleth. So we could maybe set the idp_session cookie ourselves.

Any response or guidelines are very appreciated.

Answer 1

Possible solution, and tried successfully in lab environment.

Shibboleth is hosted on a sub domain to the application that are supposed to sets the cookie. So what we tried and what was successful was to send the _idp_session cookie over the REST service and from our application return that value to the client with HTTP header set-cookie.

So now when we redirect the user into our SharePoint environment the client has the _idp_session cookie and gets authenticated thru the chain of client -> SharePoint <-> Azure AC <-> ADFS <-> Shibboleth :)