Is it possible do different authentication based on different SP?
Yaowen Tu
yaowen.tu at gmail.com
Thu Aug 16 13:49:24 EDT 2012
Thanks folks. Looks like there are two ways to achieve it:
1) - deploy separate login handlers
- use an AuthnContextClassRef in the request to map to one or the other
2) IdP will always return both Eng and Sales people, the Assertion will
contain some attribute to indicate the group. SP will need to do some
authorization to filter out either Eng or Sales.
Per Scott and Kevin, (2) is a better way since IdP is only suppose to do
authn, it is SP's responsibility to do authz.
Let me know if anything is incorrect.
Thanks,
Yaowen
On Thu, Aug 16, 2012 at 8:44 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 8/16/12 11:33 AM, "Yannick Béot" <yannick.beot at gmail.com> wrote:
> >
> >I do not know much about Shibboleth IdP but I'm pretty sure it is
> >possible to insert some filtering/authz logic in the pipeline, based on
> >some attributes for instance.
>
> If you write custom login handlers; there's nothing built-in to do this.
> It's just not how it's supposed to work.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120816/f9a254bc/attachment.html
More information about the users
mailing list