Auto Discovery

[Peter Schober]

* samir el otmani <elotmani.samir at gmail.com> [2014-11-24 17:46]:
> This scenario is when accessing a secured ressources from Shibboleth SP .
> Actually i have many IdP connected to one SP , my  use case is different
> with the IdP selection from select box ,
>  for example :
> 
> Organization 1 will enter the link : sp.test.org/secure?o=org1
> 
> Organization 2 will enter the link :  sp.test.org/secure?o=org2

You can provide such an abstraction (from entityID to something you
control) and create a mapping somewhere (a RDMBS, in your code,
wherever), essentially rewriting the above to
/Shibboleth.sso/Login?entityID=<org1-idp>&target=<accessed-resource>

Whether the above could be made to work (and where, e.g. webserver
config or your own code) depends on the specifics of what you imply
with the example. e.g. whether sp.test.org/secure is meant to be
accessible only with a valid session.
Who (what link/code/config/ will generate those specific URLs?
Can that design be changed?

> i dont know if the previous example is a correct one but i only need
> that the IdP's discovery from SP will be automatic . so all the
> users from each organization will have a dedicated URL .

OK, so what you're after is sometimes called "WAYFless URLs", which
encode an identifier for the IDP/institution/contract into a URL.
You can do this any way you like, but I would advise not to put that
as a request parameter of the protected resource, unless you do not
intend to have any content with "active protection".

And you'll likely also have to cater for those /not/ using those
links, e.g. those just typing the name of your service into a search
engine and navigate to their resources on their own. If you don't do
that bookmarking the resource (after authentication and successful
authorization) becomes impossible.
-peter