Jonas, We are upgrading Saml script atm; please bear with us for sometime. We will let you know when it's done.

You may be confused... this script is used when you want the Gluu Server to rely on an external IDP. The primary use case for this is when there is a SAML proxy--for example, if you are operating a SaaS service where your customers each have their own SAML IDP. If you'd like to set a quick meeting, I'd be happy to give you a demo of the Gluu Server which may help orient you. My schedule is online at http://gluu.org/booking

I hope you don't mind, I'm posting the use case so our engineers can understand: Thanks for getting back to me. My use case is that we have an on premise SAML2 IdP where I want to authenticate our users. I now want to add OpenID Connect capabilities in order to better support our mobile apps. I want to use the Gluu server as our OIDC auth and token server. But user authentication should be done by our IdP. ``` So basically I would like the user flow to be: 1. From the native app we open a browser and send an auth request to the Gluu OIDC authentication end point. 2. Gluu as the SAML SP sends the browser with a SAML Auth Request to our SAML IdP. 3. Our SAML IdP authenticates the user and send a SAML response back to Gluu. 4. The Gluu server sends the Auth token back to the app. 5. The app can now complete the Auth code flow to get the ID token. ``` Is this a flow that would be supported through the saml authentication script?

I think this solution is overly complex. Is the end goal SSO between the web applications and mobile applications? For example, you use a mobile application, and then open the mobile system browser, and don't want to login again? If you don't care about SSO, I would simply configure the Gluu Server to use the same password source for authentication (i.e. LDAP), and use the Gluu Server cache refresh service to sync the user attributes. If you do want SSO, what you're suggesting is actually possible. I think you could use the SAML custom interception script. Here is a link to a [similar use case for the SAML script](https://ox.gluu.org/doku.php?id=asimba:setup_testing#interception_script_configuration) but I think there may be some differences, depending on the IDP that you are using (this script is using the Asimba proxy as the IDP--which you don't need because you only have one inbound SAML IDP). I think we can help you with this, but you're going to have include a fair amount of information--screenshots, logs, and other material to help us figure out how to configure the script. One more piece of advice: you should use the appAuth libraries for mobile authentication. You can read my [recent blog](http://gluu.co/appauth-blog)

Hi Michael, The reason for federating the authentication back to our IdP is because we have an on-prem 2-factor authentication solution that our enterprise users are required to do. The proof-of-concept that I would like to do is to host he Gluu server in the public cloud and use it as the OpenID Connect provider, but still reuse the on-prem Access Management solution (including our IdP) that we have in place to provide enterprise authentication. I'd be glad to provide any information that you need. Best Regards Jonas

Interesting... ok. It might work. I think the one thing that is not well documented is how to generate SP metadata from the oxAuth authn script. I'm going to assign this issue to one of our engineers. BTW, what kind of 2FA is it? I'm still wondering if the medice is worse then the disease...

The metadata of such sp would be something like this: ``` <!-- Unsigned metadata for oxAuth --> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://test.gluu.org/saml"> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.gluu.org/oxauth/postlogin" index="0"></md:AssertionConsumerService> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en">Gluu</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en">Gluu - Open Source Access Management</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en">http://www.gluu.org</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>Administrator</md:GivenName> <md:EmailAddress>support@gluu.org</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor> ```