Basic Federation

Michael Wang mwang at
Tue Dec 1 23:52:13 EST 2015

May be we should clarify a bit on our use case.

We have two IdPs, IdP1 and IdP2.  IdP1 and IdP2 knows of different user attributes.  E.g. IdP2 has AD group information and IdP1 does not.  SP1 needs attributes from IdP1 and SP2 needs attributes from IdP2.  Given this user1 needs to authenticate with IdP1 to access SP1 proper and authenticate with IdP2 to access SP2 proper.

How can user1 login once but be able to access both SP1 and SP2?

Is hub-spoke the only means of achieving this?  We had scanned info on SURFnet but could not see info on how such architecture is setup.  Does this require custom code to be injected into Shibboleth?


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Tom Scavo
Sent: Monday, 30 November 2015 12:08 PM
To: Shib Users
Subject: Re: Basic Federation

On Sun, Nov 29, 2015 at 7:59 PM, Michael Wang <mwang at> wrote:
> Is this how SWITCHaai and InCommon etc are setup?  In that SWITCHaai and InCommon are gateways?  IdPs and SPs registered there trust SWITCHaai/InCommon and thereby trust each other?

No, SWITCH and InCommon are full mesh federations. However, you don't have to look far for examples of hub-and-spoke federations. SURFnet and are good examples.


To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list