Specifying <IdpList> in Shibboleth SP

Tom Scavo trscavo at gmail.com
Mon Nov 24 14:15:10 EST 2014

On Mon, Nov 24, 2014 at 1:10 PM, Sandy <sundeep.nitw at gmail.com> wrote:
> Both questions relate to what is referred to as 'Idp Chaining', but the SAML
> specification defines it as SAML Idp Proxying.

Yes, IdP Proxy is the correct SAML term.

> More details on the specific
> information I am looking for is below:
> 1. IdpList for SP
> The SAML specification says that an <IdpList> element can list all the Idp's
> that the requester would need assertions from. Where, in Shibboleth SP
> configuration this can be specified(if at all it can be)? I would be
> grateful if I can be pointed to the wiki page that contains relevant
> information.
> 2. SAML Proxy Idp
> Is there some specific configuration that Idp needs to act as a proxy Idp?
> Or is it from the Request that the Idp figures out that it needs to act as a
> proxy Idp(from <ProxyCount> and <IdpList> elements).

This is a FAQ but I don't think it is documented anywhere. Shibboleth
(as a set of components) is not really intended to be deployed as an
IdP Proxy. It can be done (people have done it) but it's not optimal.
If you want to deploy an IdP Proxy, I suggest you look at
simpleSAMLphp. We use simpleSAMLphp for that purpose and it works

Btw, the SAML elements you ask about above are not strictly required
to run an IdP Proxy. In any case, I don't know if simpleSAMLphp
supports them, you'd have to ask that question on the simpleSAMLphp
mailing list.


More information about the users mailing list