I am new to Shibboleth and want to provide my client with a Idp for there existing system. The goal is to have other 3rd party applications login to gain a seamless login experience using SAML SSO.
Right now the client has an existing Shibboleth service provider configured.
I have been reading about Authenication Configuration and specifically the PasswordAuthnConfiguration. This article about using a relation DBMS has also been useful. But I feel that I possibly am misunderstanding the purpose of the Idp.
Do I need to provide and maintain a user store for the Shibboleth Idp? If so does Shibboleth provide mechanisms for account creation / reset? Or should I be adding external authenication providers to the Idp and not maintaining a user store?
Do I need to provide and maintain a user store for the Shibboleth Idp?
Yes. The IdP does not maintain an account store; it instead connects to existing systems that provide that store, the most common of which is LDAP or Active Directory, or systems supported by JAAS.
If so does Shibboleth provide mechanisms for account creation / reset?
No, you have to design/build those parts. The Shibboleth IdP does not provide features for account management, signup, password reset, etc as of this writing, and all of that should be handled/designed by you as extensions to the system.
Or should I be adding external authentication providers to the Idp and not maintaining a user store?
Support for external authentication systems is only offered OOTB by IdP v4, and as of this writing is supported for other external SAML2 identity providers. In this scenario, your IdP will simply be a proxy to the external identity provider, and that will handle the account store, signup, etc.