Sending different entityIDs to same relying party - Office 365 requirement

Peter Schober peter.schober at univie.ac.at
Thu Jan 31 13:16:49 EST 2013


* Matheesha Weerasinghe <matheesha at gmail.com> [2013-01-31 18:38]:
> In configuring the EntityID for each of these domains, there is a
> requirement to ensure each one is unique. This presents a problem if the
> customer has several domains but wants to use one Shibboleth implementation
> to handle the authentication for all of them. AFAIK, you can only define
> one relying party in the XML. This means Shibboleth will always send the
> same relying party regardless of the user it issued the token for.
> 
> I am trying to determine if its possible to have multiple EntityIDs
> associated with the same relying party and then use some conditional logic
> to decide what to send.

I'm hoping for you that this is not in fact a requirement of that
particular relying party (RP).

Anyway, what the software offers is setting a different issuer
(entityID for the IdP) based on the entityID of the RP, i.e. to make
the IdP use different identities for different RPs.
But not for the same RP.

Also there will be no way for the IdP to know what some subject
entered as a username (or MS Active Directory "User Principal Name")
at some other website. The RP is probably not sending this info in the
SAML authentication request to the IDP and that's all the IdP sees.
-peter


More information about the users mailing list