Can Shibboleth IdP handle something like Domain/Group?
David Bantz
dabantz at alaska.edu
Tue Jul 2 21:21:55 EDT 2013
A seemingly very similar question is pertinent to my institution. We have multiple instances (dev, test, full-scale test, prod, & training) of the ERP and some other central services. The identities in these instances are distinct but typically overlap (that is, "I" may exist in each instance, but with different attributes and credentials). As these services migrate to central (or "external" from their viewpoint) authentication, it would be nice not to have to replicate central authN for each instance. That is, it would be convenient and more scalable and supportable if a single IdP recognized that the test service instance used test identities, mutatis mutandis, and authenticated and passed attributes accordingly.
But do I correctly understand Scott's answer to entail that each service instance will need its own corresponding IdP and directory or other identity repository?
David Bantz
On Tue, 2 Jul 2013, at 16:06 , "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>> During login, is there a way for SP to tell IdP which group it is working with?
>> So IdP could do proper authentication for this group of users.>
>>
>> First of all does SAML have such concept? If so, does our Shibboleth IdP
>> support this?
>
> No, there is no such concept unless you overload AuthnContext information to represent it.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list