1. Introduction

If your organisation is already running a SAML IdP, it is possible to make the Moonshot IDP to outsource the authentication of users and the generation of the corresponding SAML Assertion into that SAML IdP.
For doing so you can use the ECP profile (https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP), where the Moonshot IDP uses the cleartext credentials provided by the users to authenticate to the IDP and obtain an Assertion.

2. Overview of the flow

1. The user starts the EAP authentication with the Application and Moonshot IDP, using EAP TTLS/PAP. Note that the inner method MUST be PAP since the IDP will need to have access to the cleartext password.
2. When the Moonshot IDP obtains the credentials, instead of checking them against a local database or a remote Directory Service, it creates an ECP request that is sent to the SAML IdP.
3. The IDP verifies the user credentials.
4. If the SAML IdP recognises the user, it returns a successful result including a SAML Assertion.
5. The Moonshot IdP receives the SAML Assertion and includes it into its response to the Application.

3. Proof-of-concept implementation

We have implemented a proof of concept of this approach and made it available here: https://github.com/alejandro-perez/moonshot_ecp_test