Shibboleth Login Handler questions [SEC=UNCLASSIFIED]
Christopher Bongaarts
cab at umn.edu
Tue Jul 16 11:53:47 EDT 2013
On 7/9/2013 1:37 AM, BONNY, Michael wrote:
> 2) Can I implement an Other-IDP Login Handler, so that users can be authenticated by an alternate IDP?
> The end user would get the following experience:
> Navigate to shibsite1.mydomain.com (get redirected to shibidp.mydomain.com)
> Shibidp.mydomain.com would then detect the user was dev-internal, and redirect them to another IDP (devshibidp.mydomain.dev)
As mentioned, you can get that specific behavior using RemoteUser + Shib
SP. Depending on what you're trying to accomplish, there may be simpler
ways to achieve your goal.
If you just want to authenticate users with a different IdP on test
servers, you could use a discovery service, or just direct users to the
appropriate IdP from each SP. For example, we have a test IdP and a
production IdP. Server admins would typically configure their test SPs
to point to the test IdP and production SPs to the production IdP.
You can also specify a particular IdP within a single SP by using
ShibRequestSetting entityId (on apache) or adding entityId to the
appropriate RequestMap element (for IIS).
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list