On the other side was an app that could only accept either a username+password or an OpenID.
We bridged the gap with OIF and a bit of config. In broad strokes heres what you do...
- Install OIF
- Setup OIF as OpenID OP
- Setup OIF as a SAML Service Provider
You need to Configure OIF to use the Federation SSO proxy authn engine. When the user reaches the OpenID enabled app the app will send the user to OIF. OIF will see that it needs to send the user to the SAML IdP and will redirect them there. The user goes to the SAML IdP, logs in and then comes back with SAML assertion. OIF consumes the assertion and generates an OpenID identity and redirects the user back to the OpenID Relying Party. For IdP initiated:
You need to setup an SP Integration Module (abbreviated to SPIM). The user stars out at the SAML IdP which generates a SAML assertion and sends to OIF. OIF validates the SAML Assertion and invokes the SPIM. The SPIM kicks the user into the OpenID flow and they get redirected on to the OpenID RP. It's all actually pretty straightforward once you understand what's going on.