Is it possible do different authentication based on different SP?

Yannick Béot yannick.beot at
Thu Aug 16 11:33:42 EDT 2012

I confirm that direction.
Especially for one function: auto-provisioning.
SPs in the cloud allow the creation "on the fly" of user account based on
the SAML assertion.
But, when one account means one license, and then money, it is interesting
to filter user that are able to connect to this particular SP.

I do not know much about Shibboleth IdP but I'm pretty sure it is possible
to insert some filtering/authz logic in the pipeline, based on some
attributes for instance.


On Thu, Aug 16, 2012 at 4:25 PM, Cantor, Scott <cantor.2 at> wrote:

> On 8/16/12 10:16 AM, "Kevin P. Foote" <kpfoote at> wrote:
> >
> >Ha, I started typing my reply in that vein.. but realized that the OP's
> >issue was
> >not "really" authn (same ldap) but rather authz on the SP side.
> Yeah, assuming the SP will actually do authz. One of the clear directions
> of the "cloud" is that a lot of IdPs are going to be doing a whole lot of
> things they aren't supposed to have to do. Hard to see how the average
> vendor will do an adequate job when Google can't even manage it.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list