H2 enrich external IdP information with internal attributes

Demin Olivier Olivier.Demin at generali.be
Mon Jan 28 19:33:26 EST 2013 

Dear all,

 

I am searching for a way to map user id's across IdP realms.  Let me
explain my case:

 

I have, within my company,  an application "App3" happily protected by a
Shibboleth SP, with SSO authentication delegated to an internal
Shibboleth IdP.  This IdP is using a local LDAP user store.  So when my
user (let's call him "u3") browses App3, App3 receives the internal user
id "u3" in the Shibboleth attributes and does whatever it needs with it.

 

My user also happens to use the application "ExtApp" of another company,
with whom I have business relation.  This external company is also using
a SAML based security infrastructure and my user is known as "e2" on
their IdP.  The external company has placed a link to my App3 on their
ExtApp.  

 

The challenge: I want to establish an SSO link between ExtApp and App3.
Of course, my App3 needs to receive my internal user name ("u3") and
attributes, and doesn't know what to do with the external identifier
("e2") that the external Idp provides.

 

From what I understood, I need to configure my SP with:

-          An SSO profile with the External IdP

-          And an AttributeQuery profile with my internal IdP in order
to enrich the attributes received from the external IdP with internal
attributes (the internal idp queries my user repository based on the
external id to retrieve internal attributes)

 

This is summarized in the flow diagram here:
https://docs.google.com/file/d/0B kioHI OqylUlJfUDh5VUpCdE0/edit

 

Am I on the right track?  If not, is what I need to do possible with
Shibboleth and how?

 

Would anybody have some example Shibboleth config files for the SP and
IdP for similar configuration?  Or point me to some documentation that
would help me realize this?  I haven't been able to configure this until
now with the Shibboleth wiki pages.

 

Thanks a lot for your time

 

Olivier Demin

Head of Front Department/IT Change

Solution Architect

Tel:                                        +32 (0)2 403 8083

Mobile:                                +32 (0)473 83 10 29

Avenue Louise 149          Mail: olivier.demin at generali.be
<mailto:olivier.demin at generali.be>  

B-1050 Bruxelles               Site: www.generali.be
<http://www.generali.be/> 

P Please consider your environmental responsibility before printing this
e-mail, thanks for the planet.

 

###########################################<br>GENERALI BELGIUM NV-SA - Verzekeringen-Assurances<br>Louizalaan 149 Avenue Louise - Brussel 1050 Bruxelles<br>Ondernemingsnummer 0403.262.553 Numéro d'entreprise<br>RPR Brussel - RPM Bruxelles<br>###########################################<br>This e-mail and any files transmitted with it are confidential and<br>intended solely for the use of the individual or entity to whom they <br>are addressed. If you have received this e-mail in error please notify <br>the system manager.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130129/9ae8527f/attachment.html

More information about the users mailing list