By: Rehman Aslam user 07 Nov 2018 at 4:54 a.m. CST

4 Responses
Rehman Aslam gravatar
Reading the documentation for Inbound SAML, the testing section shows how to get your SP to go directly to the external IDP's login page... However this is for OpenID Connect authorization request - maybe I'm confused, but isn't there away I can set a property in my shibboleth2.xml? So rather than going to the passport login page, it goes directly to the external idp's?

By Mohib Zico staff 07 Nov 2018 at 6:50 a.m. CST

Mohib Zico gravatar
'Discovery' is a mandatory point for Inbound-SAML. You can/cannot show end users the discovery page but your workflow must have to run through discovery page to achieve a successful authentication.

By Rehman Aslam user 07 Nov 2018 at 8:17 a.m. CST

Rehman Aslam gravatar
Thats what I thought but how do I make it so its not visible to the end user?

By Kevin Manion user 15 Nov 2018 at 5:48 a.m. CST

Kevin Manion gravatar
Hi Mohib, I'm attempting to bypass the Gluu passport login page, and direct the user to their external IDP. I've set up a SessionInitiator in my Shibboleth2.xml which points to an html file. This file will take user input and then determine which IDP they should be directed to. I'm using some of the code from the 'idp_redirect' function on the passportlogin.xhtml page to redirect the user to their external IDP. This is working correctly, and the user can be authenticated by their IDP. On return to the passportpostlogin.xhtml page I receive an error though. It seems that because I've never visited the passportlogin.xhtml, then I'm missing some cookies that I need. Based on your comment above, it seems like I need to navigate through the passportlogin page somehow? To get the cookies? Can you provide more details on what you mean in the above comment. Thanks, Kevin

By Mohib Zico staff 20 Nov 2018 at 4:18 a.m. CST

Mohib Zico gravatar
[Here]( is a doc you can use for preselecting your authentication IDP. A preselecting link ( initiate from SP ) can be something like below: - change the hostname of your Gluu-passport server - Change client_id according to your setup - Add base64 encoded value for your `preselectedExternalProvider`. That value would be the provider name of your SAML IDP. remote IDP is '' which is registered in my passport server like below: ``` root@proxy:/etc/gluu/conf# cat passport-saml-config.json { "idp1_gluu_org": { "entryPoint": "", "issuer": "urn:test:pass-saml:showcase", "identifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "authnRequestBinding": "HTTP-POST", "additionalAuthorizeParams": "", "logo_img":"{Provider Logo url}", "enable":"true", ..... ..... ..... ``` Here you need to grab `{"provider" : "idp1_gluu_org"}` and do base64 encode and put that in URI: `https://[Gluu_passport_server_hostname]/oxauth/restv1/authorize?response_type=code&client_id=%40%21B3BF.86D3.10AA.520B%210001%2188B9.ADF8%210008%21B03C.F3CF&scope=openid+email+user_name&`