Basic Federation
Michael Wang
mwang at macquarietelecom.com
Tue Dec 1 23:52:13 EST 2015
May be we should clarify a bit on our use case.
We have two IdPs, IdP1 and IdP2. IdP1 and IdP2 knows of different user attributes. E.g. IdP2 has AD group information and IdP1 does not. SP1 needs attributes from IdP1 and SP2 needs attributes from IdP2. Given this user1 needs to authenticate with IdP1 to access SP1 proper and authenticate with IdP2 to access SP2 proper.
How can user1 login once but be able to access both SP1 and SP2?
Is hub-spoke the only means of achieving this? We had scanned info on SURFnet but could not see info on how such architecture is setup. Does this require custom code to be injected into Shibboleth?
Thanks.
Regards,
Michael.
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Tom Scavo
Sent: Monday, 30 November 2015 12:08 PM
To: Shib Users
Subject: Re: Basic Federation
On Sun, Nov 29, 2015 at 7:59 PM, Michael Wang <mwang at macquarietelecom.com> wrote:
>
> Is this how SWITCHaai and InCommon etc are setup? In that SWITCHaai and InCommon are gateways? IdPs and SPs registered there trust SWITCHaai/InCommon and thereby trust each other?
No, SWITCH and InCommon are full mesh federations. However, you don't have to look far for examples of hub-and-spoke federations. SURFnet and WAYF.dk are good examples.
HTH,
Tom
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list