We are trying to make SAML enable some old applications in order to make possible the interaction of those with a SAML SP. Those legacy apps use a token in the URL in order to perform SSO.
We have setup a Shibboleth IdP with a simple SAML SP application that generate the token on the fly so it makes possible the browse from the SAML SP and the legacy apps. Now we are working on the inverse path, which means browse from a legacy app to the SAML SP, would you please help us on this matter?
When the user go from the legacy app to the SAML SP, only s/he has the token, so we need to extend the Shibboleth IdP in order handle the token and authenticate the user using that, is it possible do this? If it is, how would be possible deliver the token to the IdP ? I believe the token will be part of the SAML SP URL instead of the IdP URL, so we loose during the SAML flow.
Is there any way to initiate the Shibboleth User session without the login handler?