Chaining SessionInitiators
Christopher Bland
chris at fdu.edu
Fri Feb 17 15:37:03 GMT 2012
Scott,
Your response challenges my understanding of what I'm trying to
accomplish so let me ask you this. If I have a single SP that I
associate with 3 IDPs is it possible to configure a DS to automatically
validate a previous session without prompting the user. For what I am
intending, I am going to set a default IDP for each application on the
SP but want sessions from all IDPs to work. Also is there any way to
specify a session hierarchy in case a user happens to have active
sessions with more than one of the 3 IDPs?
-Chris
On 2/17/12 10:10 AM, Cantor, Scott wrote:
> On 2/17/12 9:18 AM, "Christopher Bland"<chris at fdu.edu> wrote:
>>
>> I have what is probably a beginner question about SP
>> SessionInitators. Previously I have only dealt with SPs using a
>> single IDP. I have always provided Metadata for development and
>> production IDPs but have not simultaneously used sessions from
>> both. It seems that all I have to do is within a
>> <SessionInitiator type="Chaining"> tag have a series of
>> individual SessionInitiator tags specifying each IDP available for
>> authentication.
> No. Chaining the plugins is for connecting protocol initiators (SAML2,
> Shib, etc.) with discovery initiators (SAMLDS) that don't have an assumed
> entityID. You can't just have more than one protocol initiator with
> different entityIDs, only the first one will matter. The protocol plugins
> look for an entityID to use and if missing, fall through to the later
> plugins. The discovery plugins run without an entityID set, and dispatch
> to a page that eventually returns the client to the original location with
> an entityID set, at which point the protocol plugins can run.
>
>> What's unclear to me is the process of associating a user with an
>> IDP. I get that IDPs are processed in series
> They aren't. Or rather they are, but the later ones never get used unless
> the earlier ones can't dispatch because of metadata issues (lack of
> support for a given protocol).
>
>> but does the
>> SessionInitiator only check for existing session and sends users to
>> the default or DS session initiator if it doesn't find previous
>> session?
> No. The DS session initiator is what gets used when no prior initiator has
> access to an entityID to run with.
>
> Multiple IDPs means doing discovery, or it means URL trickery to hardwire
> the entityID based on the resource. It is not based on the user or by
> chaining them together like that. There's no conditional logic available
> to decide which one to use.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
fdu logo
Christopher Bland
Systems Manager
Information Systems and Technology
*1000 River Road, Teaneck NJ 07666*
Mail Stop: T-BH1-01
phone: 201-692-2414 | fax: 201-692-2494 | email: chris at fdu.edu
<mailto:chris at fdu.edu>
"Fairleigh Dickinson University will never
ask for your password. Please do not
share it with others!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: small-full-fdu.gif
Type: image/gif
Size: 4243 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0004.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: phone.gif
Type: image/gif
Size: 306 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0005.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fax.gif
Type: image/gif
Size: 116 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0006.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mail.gif
Type: image/gif
Size: 853 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0007.gif
More information about the users
mailing list