Serving multiple IDP from ApplicationOverride SP setup
Cantor, Scott
cantor.2 at osu.edu
Tue Sep 16 17:57:28 EDT 2014
On 9/16/14, 5:45 PM, "Randy Wiemer" <wiemerr at hotmail.com> wrote:
>There is a competing view that holds that the discovery service process
>is cumbersome, especially as the number and diversity of IdPs grows, and
>therefore implementing your service in a manner that avoids the need to
>involve the user in the discovery process
> is a reasonable strategy.
I'm aware of the competing view, and unfortunately it doesn't solve the
problem to pretend there isn't a problem.
>Many SAAS vendors accomplish this by having dedicated URLs for each IdP.
Which precludes federation, as I said. You can only present this as a
competing alternative if it actually solves the problem. That model is
broken.
>Another common strategy is to prompt for the username which contains a
>domain part and then redirect to the IdP based on the domain part of the
>username.
Yes, and that's a discovery interface, probably the eventual one that wins
out, it just has the problem that it's not privacy preserving, which is a
limitation for some applications, though not most.
-- Scott
More information about the users
mailing list