Forum Discussion
Kevin_Stewart
Employee
Oct 05, 2015That's absolutely correct. Since you're client is directly accessing an external resource, you can't auto-submit credentials to that site. The better option, if the external IdP can do it, is to have it encrypt the client's credentials back into the assertion. Or better enable artifact mode so that these credentials aren't in the client's data path. Otherwise you might have to re-investigate using Kerberos if you don't have a password.