Is it possible do different authentication based on different SP?

Kevin P. Foote kpfoote at
Thu Aug 16 10:16:23 EDT 2012

On Thu, 16 Aug 2012, Cantor, Scott wrote:
-> On 8/15/12 10:00 PM, "Kevin P. Foote" <kpfoote at> wrote:
-> >
-> >Give the Engineering group an "engineering" attribute, and the sales
-> >folks a "sales" attribute at the IdP. On the SP side require one or the
-> >other for authz.
-> A less elegant and more brittle way that still avoids writing code:
-> - deploy separate login handlers
-> - use an AuthnContextClassRef in the request to map to one or the other

Ha, I started typing my reply in that vein.. but realized that the OP's issue was
not "really" authn (same ldap) but rather authz on the SP side. 

So I figured, as you mentioned that the multiple LoginHandler / 
AuthnContextClassRef combo would be overkill in this case.

Glad to know that my thoughts crossed in line with a shib-master :-P 


More information about the users mailing list