Shibboleth Developers

["Scott Cantor" <>]

> What I am hearing is...  "technically, yes.  But practically, no."

What's the question? Validating passwords is not the job of the IdP, it's
the job of the authentication service(s) the IdP is using. If that's the use
case, it's not a SAML or IdP issue.

But you asked about forced authentication, and the answer is technically and
practically yes, if the SP does so properly and if the IdP is deployed to
support SAML 2 features like that. Lots of IdPs can do that. It's only a
problem when you get into more exotic deployments that punt to external SSO,
and even then it's sometimes possible.

-- Scott