Basic Federation

Cantor, Scott cantor.2 at
Wed Dec 2 09:50:25 EST 2015

On 12/1/15, 11:52 PM, "users on behalf of Michael Wang" <users-bounces at on behalf of mwang at> wrote:

>We have two IdPs, IdP1 and IdP2.  IdP1 and IdP2 knows of different user attributes.  E.g. IdP2 has AD group information and IdP1 does not.  SP1 needs attributes from IdP1 and SP2 needs attributes from IdP2.  Given this user1 needs to authenticate with IdP1 to access SP1 proper and authenticate with IdP2 to access SP2 proper.
>How can user1 login once but be able to access both SP1 and SP2?
>Is hub-spoke the only means of achieving this?

No. IdPs don't know about attributes, data sources do. You can connect either IdP to the same data sources. Even if some dumb organizational limitation prevents that, you can also use SAML attribute queries to make supplemental requests for attributes from those systems using a Shibboleth SP as long as the systems share a common identifier of some sort.

>Does this require custom code to be injected into Shibboleth?

Gateays are not a Shibboleth use case.

-- Scott

More information about the users mailing list