Shibboleth SSO and LDAP


In Shibboleth auth provider, there is the following §:

The example config is rather simple and only accesses data from SSO during login. This is not sufficient for advanced features such as automatic synchronization of names, affiliations and phone numbers or using centrally managed groups. To use these features, you need to use e.g. the LDAP identity provider and use the information received via SSO to retrieve the user details from LDAP.

Could one expert confirm that using a SSO auth provider with an LDAP identity provider only makes sense if the same set of users is served from both, not when through SSO (Shibboleth) you give access to a wider set of users than from your (internal) LDAP?


Yes, since you’d get an error when trying to login with an auth provider where no identity information can be fetched for the user.