Sending different entityIDs to same relying party - Office 365 requirement
Christopher Bongaarts
cab at umn.edu
Fri Feb 1 15:34:57 EST 2013
On 1/31/2013 11:38 AM, Matheesha Weerasinghe wrote:
> In Office 365 if the customer can choose to register a bunch of DNS
> domains they own with UPNs in the format of john at contoso.com
> <mailto:john at contoso.com> . They can then configure O365 such that it
> knows the SAML endpoint for each domain (e.g. contoso.com
> <http://contoso.com>, fabrikam.com <http://fabrikam.com>). When a user
> attempts to access O365, they will be redirected to Shibboleth which
> will issue a token which O365 will in turn consume and accordingly
> allow/deny access to the service.
> In configuring the EntityID for each of these domains, there is a
> requirement to ensure each one is unique. This presents a problem if the
> customer has several domains but wants to use one Shibboleth
> implementation to handle the authentication for all of them. AFAIK, you
> can only define one relying party in the XML. This means Shibboleth will
> always send the same relying party regardless of the user it issued the
> token for.
I don't know about O365, but for Google Apps, each "domain" on the
google side has its own entity ID (i.e. each is effectively a separate
SP/RP).
The Shibboleth IdP is able to use a different entity ID for itself
depending on the calling SP/RP (you just set up multiple RelyingParty
entries in relying-party.xml).
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list