Sending different entityIDs to same relying party - Office 365 requirement
Tom Scavo
trscavo at gmail.com
Thu Jan 31 12:58:54 EST 2013
On Thu, Jan 31, 2013 at 12:38 PM, Matheesha Weerasinghe
<matheesha at gmail.com> wrote:
>
> In Office 365 if the customer can choose to register a bunch of DNS domains
> they own with UPNs in the format of john at contoso.com . They can then
> configure O365 such that it knows the SAML endpoint for each domain (e.g.
> contoso.com, fabrikam.com).
These domains are called _scopes_, as in "scoped attributes," which is
what a UPN is. Scope is independent of SAML endpoint. In other words,
an IdP can assert attributes with different scopes from the same
endpoint.
> In configuring the EntityID for each of these domains, there is a
> requirement to ensure each one is unique. This presents a problem if the
> customer has several domains but wants to use one Shibboleth implementation
> to handle the authentication for all of them.
That's not a Shibboleth thing, that's a SAML thing. There is at most
one SAML endpoint per binding at the IdP.
> I am trying to determine if its possible to have multiple EntityIDs
> associated with the same relying party and then use some conditional logic
> to decide what to send.
>
> For example, if user UPN suffix = contoso.com then send
> entityID=https://contoso.com/idp/shibboleth.
>
> else if userUPN suffix=fabrikam.com then send
> entityID=https://fabrikam.com/idp/shibboleth.
If you really want to do that, then you need two IdPs.
Tom
More information about the users
mailing list