Is it possible do different authentication based on different SP?

Yaowen Tu yaowen.tu at
Thu Aug 16 13:49:24 EDT 2012

Thanks folks. Looks like there are two ways to achieve it:
1)  - deploy separate login handlers
     - use an AuthnContextClassRef in the request to map to one or the other

2) IdP will always return both Eng and Sales people, the Assertion will
contain some attribute to indicate the group. SP will need to do some
authorization to filter out either Eng or Sales.

Per Scott and Kevin, (2) is a better way since IdP is only suppose to do
authn, it is SP's responsibility to do authz.

Let me know if anything is incorrect.


On Thu, Aug 16, 2012 at 8:44 AM, Cantor, Scott <cantor.2 at> wrote:

> On 8/16/12 11:33 AM, "Yannick Béot" <yannick.beot at> wrote:
> >
> >I do not know much about Shibboleth IdP but I'm pretty sure it is
> >possible to insert some filtering/authz logic in the pipeline, based on
> >some attributes for instance.
> If you write custom login handlers; there's nothing built-in to do this.
> It's just not how it's supposed to work.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list