Chaining SessionInitiators

Christopher Bland chris at fdu.edu
Fri Feb 17 15:37:03 GMT 2012 

Scott,

Your response challenges my understanding of what I'm trying to 
accomplish so let me ask you this.  If I have a single SP that I 
associate with 3 IDPs is it possible to configure a DS to automatically 
validate a previous session without prompting the user.  For what I am 
intending, I am going to set a default IDP for each application on the 
SP but want sessions from all IDPs to work.  Also is there any way to 
specify a session hierarchy in case a user happens to have active 
sessions with more than one of the 3 IDPs?

-Chris

On 2/17/12 10:10 AM, Cantor, Scott wrote:
> On 2/17/12 9:18 AM, "Christopher Bland"<chris at fdu.edu>  wrote:
>>
>>     I have what is probably a beginner question about SP
>>     SessionInitators.  Previously I have only dealt with SPs using a
>>     single IDP.  I have always provided Metadata for development and
>>     production IDPs but have not simultaneously used sessions from
>>     both.  It seems that all I have to do is within a
>>     <SessionInitiator type="Chaining">  tag have a series of
>>     individual SessionInitiator tags specifying each IDP available for
>>     authentication.
> No. Chaining the plugins is for connecting protocol initiators (SAML2,
> Shib, etc.) with discovery initiators (SAMLDS) that don't have an assumed
> entityID. You can't just have more than one protocol initiator with
> different entityIDs, only the first one will matter. The protocol plugins
> look for an entityID to use and if missing, fall through to the later
> plugins. The discovery plugins run without an entityID set, and dispatch
> to a page that eventually returns the client to the original location with
> an entityID set, at which point the protocol plugins can run.
>
>>     What's unclear to me is the process of associating a user with an
>>     IDP.  I get that IDPs are processed in series
> They aren't. Or rather they are, but the later ones never get used unless
> the earlier ones can't dispatch because of metadata issues (lack of
> support for a given protocol).
>
>> but does the
>>     SessionInitiator only check for existing session and sends users to
>>     the default or DS session initiator if it doesn't find previous
>>     session?
> No. The DS session initiator is what gets used when no prior initiator has
> access to an entityID to run with.
>
> Multiple IDPs means doing discovery, or it means URL trickery to hardwire
> the entityID based on the resource. It is not based on the user or by
> chaining them together like that. There's no conditional logic available
> to decide which one to use.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


-- 
fdu logo 	
Christopher Bland
Systems Manager
Information Systems and Technology
*1000 River Road, Teaneck NJ 07666*
Mail Stop: T-BH1-01
phone: 201-692-2414 | fax: 201-692-2494 | email: chris at fdu.edu 
<mailto:chris at fdu.edu>
"Fairleigh Dickinson University will never
                                  ask for your password. Please do not 
share it with others!"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: small-full-fdu.gif
Type: image/gif
Size: 4243 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: phone.gif
Type: image/gif
Size: 306 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fax.gif
Type: image/gif
Size: 116 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mail.gif
Type: image/gif
Size: 853 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20120217/223fa8d0/attachment-0007.gif

More information about the users mailing list