Shibboleth Developers

[Nate Klingenstein <>]

Yangling,

Thank you for reading this letter,which is from Peking University,China.

It's great to hear from you guys again.  Give my best regards to Ms. Chen and the rest of the team. :D

I have one question here: Have Idp-initiated SSO been implemented in Shibboleth 2.0? I apprecite you very much.Thank you. 

Basically, yes.  There is no separate implementation to do this, because the functionality can be easily provided just by spoofing an authentication request as if the SP had made it.  You can place such a spoofed authentication request statically on a web page, such as a portal.  This can be done for SAML 1.1 or SAML 2.0, and it can be done for SAML 2.0 using either a Shibboleth 1.3-style authentication request, or a SAML 2.0 AuthnRequest.  You just need to make sure you have the right endpoints selected in your spoof.

There is a specification that allows this to be done with trust added, but I don't think it's implemented yet, and it's not a requirement for most use cases.

http://wiki.oasis-open.org/security/ProtocolExtThirdParty

Take care,

Nate.