Sending different entityIDs to same relying party - Office 365 requirement
matheesha at gmail.com
Thu Feb 7 17:51:54 EST 2013
So its as I expected.
Thanks for taking the time to reply guys. I appreciate it.
On 1 February 2013 20:34, Christopher Bongaarts <cab at umn.edu> wrote:
> On 1/31/2013 11:38 AM, Matheesha Weerasinghe wrote:
> > In Office 365 if the customer can choose to register a bunch of DNS
> > domains they own with UPNs in the format of john at contoso.com
> > <mailto:john at contoso.com> . They can then configure O365 such that it
> > knows the SAML endpoint for each domain (e.g. contoso.com
> > <http://contoso.com>, fabrikam.com <http://fabrikam.com>). When a user
> > attempts to access O365, they will be redirected to Shibboleth which
> > will issue a token which O365 will in turn consume and accordingly
> > allow/deny access to the service.
> > In configuring the EntityID for each of these domains, there is a
> > requirement to ensure each one is unique. This presents a problem if the
> > customer has several domains but wants to use one Shibboleth
> > implementation to handle the authentication for all of them. AFAIK, you
> > can only define one relying party in the XML. This means Shibboleth will
> > always send the same relying party regardless of the user it issued the
> > token for.
> I don't know about O365, but for Google Apps, each "domain" on the
> google side has its own entity ID (i.e. each is effectively a separate
> The Shibboleth IdP is able to use a different entity ID for itself
> depending on the calling SP/RP (you just set up multiple RelyingParty
> entries in relying-party.xml).
> %% Christopher A. Bongaarts %% cab at umn.edu %%
> %% OIT - Identity Management %% http://umn.edu/~cab %%
> %% University of Minnesota %% +1 (612) 625-1809 %%
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users