Shibboleth Login Handler questions [SEC=UNCLASSIFIED]

Christopher Bongaarts cab at umn.edu
Tue Jul 16 11:53:47 EDT 2013


On 7/9/2013 1:37 AM, BONNY, Michael wrote:
> 2) Can I implement an Other-IDP Login Handler, so that users can be authenticated by an alternate IDP?
> The end user would get the following experience:
> Navigate to shibsite1.mydomain.com (get redirected to shibidp.mydomain.com)
> Shibidp.mydomain.com would then detect the user was dev-internal, and redirect them to another IDP (devshibidp.mydomain.dev)

As mentioned, you can get that specific behavior using RemoteUser + Shib 
SP.  Depending on what you're trying to accomplish, there may be simpler 
ways to achieve your goal.

If you just want to authenticate users with a different IdP on test 
servers, you could use a discovery service, or just direct users to the 
appropriate IdP from each SP.  For example, we have a test IdP and a 
production IdP.  Server admins would typically configure their test SPs 
to point to the test IdP and production SPs to the production IdP.

You can also specify a particular IdP within a single SP by using 
ShibRequestSetting entityId (on apache) or adding entityId to the 
appropriate RequestMap element (for IIS).

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%



More information about the users mailing list