isPassive

The isPassive feature can only be used with a SAML2 Service Provider. It allows to automatically log in a user on a web page without any user interaction. However, for this to work:

  1. the user already needs to have a valid session at his Identity Provider and
  2. the Discovery Service must be able to "guess" this Identity Provider for the user.

If this both is given, the user's attributes will be available automatically if he accesses a page that makes use of isPassive, e.g. using the script below.

In case one of the above-mentioned two requirements cannot be met, the Service Provider will throw an error. Therefore, a Service Provider administrator who wants to make use of the auto-login feature has to use a script like below that makes sure the user won't see that error.

The main requirement of implementing isPassive for SAML2 products is that there shouldn't be any user interaction when the user is at the Discovery Service or the Identity Provider. Therefore, the usage of isPassive should only work with authentication systems and other authentication related tools, that obey this requirement.

Note:
External authentication systems like CAS and Pubcookie won't obey isPassive most likely.

In order to use the script, try the following:

  • Add the script below to a page (#THIS PAGE#) where you want to have auto-login, e.g. a portal's home page.
  • In your Service Provider 2.x shibboleth2.xml file, add redirectErrors="#THIS PAGE#" to the Errors element.
    • As of SP 2.2 you can set the ignoreNoPassive on your AssertionConsumerService, e.g.:

    • If you don't have an <AssertionConsumerService> but only an <SSO> element (new simplified configuration), it is enough to add a conf:ignoreNoPassive="true" attribute to it.
  • Make sure #THIS PAGE# is protected with a lazy session (no Shibboleth session is enforced but attribute are made available to application in case a user has a session)

Note:
In case the Discovery Service guesses that a user's Identity Provider is a SAML1 IdP, this IdP won't obey the requirements of isPassive not to interact with the user. Therefore, it still could occur that the user is asked to authenticate at the IdP.
If a user already has a session with a SAML1 IdP, things should work as expected unless there are any other tools installed at the IdP that won't obey isPassive.