Help me understand how to configure existing SP for a single SP authenticating to two IdPs

Peter Schober peter.schober at univie.ac.at
Thu Feb 5 19:48:41 EST 2015 

* Mark Neidig <mneidig at ftni.com> [2015-02-06 00:54]:
> My goal is to add another company, i.e. new.CompanyB.com, that has
> its own IdP, IdP.CompanyB.com, to my existing SP's SSO process. 

Step one is always to aquire (or create) SAML metadata for both IDPs
and add them to your SP via MetadataProviders.

> If possible and appropriate, please use these values to help me understand where the pieces fit:
> 
> Host/SP:			test.mycompany.com
> 
> CompanyA's site:		old.companyA.com
> CompanyA' IdP:		IdP.CompanyA.com
> Host's path if company A:	Path/PathA
> 
> CompanyB's site:		new.companyB.com
> CompanyB' IdP:		IdP.CompanyB.com
> Host's path if company B:	Path/PathB

Is the content of Path/PathA and Path/PathB really different?
Otherwise give them all the same resource URL and ask subjects where
they want to authenticate. (Details if you want to go down that route.)

If that's unwanted setting the entityID "content setting" for the
desired path is easiest, as you've done already (but don't change the
applicationId for no apparent reason).

> NOTE: new.CompanyB.com wants to use userId instead of email.

I'd map those two SAML attributes to their own seperate internal
attributes and use the first one that has a value, via
REMOTE_USER="userId email" (precedence list).
Additionally (to make sure only a specific one will ever be "the first
one that has a value" for each IDP) you could remove values for the
"officially unused" attribute from the other IDP respectively, i.e.,
use the attribute-policy.xml to remove all email values from IDP B and
all userId values from IDP A. That way only userId can come from
companyB and only email can come from CompanyA, making "the right
attribute from the right IDP" appear as REMOTE_USER, by setting
REMOTE_USER="userId email" (or the other way round, doesn't matter).

If you map them to seperate attributes of course you can also the that
in your application code (if idp==A myfoo=userId; if idp=B
myfoo=email).
That may be in order anyway, as you seem to be on MS-IIS and that has
no REMOTE_USER, see
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeAccess#NativeSPAttributeAccess-REMOTE_USER

> 	<ApplicationDefaults entityID="https://test.mycompany.com" REMOTE_USER="email">
> 						 
> 		<Sessions 	lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="true" 
> 				handlerSSL="true" cookieProps="http">
> 			
> 			<SSO 	entityId="http://IdP.CompanyA.com" discoveryProtocol="SAMLDS" 
> 				discoveryURL="https://www2.CompanyA.com/somepath/saml?target=mycompany" 
> 				target="https://test.mycompany.com/Path1/Path2/">
> 				SAML2
> 			</SSO>

If you set entityID (not entityId, btw) on the SSO element, all authn
requests will be sent to that IDP -- unless overruled elsewhere, which
is what you're doing. Not sure why you'd want this here then.

That discoveryURL doesn't make any sense, as an IDP Discovery Service
is meant to help a subject to identify the SAML IDP they intend to use
to log in. So having something within CompanyA assumes you already
know what IDP to use, in which case you wouldn't need discovery.

> QUESTION: Can this file referenced in MetadataProvider hold metadata
> for more than one IdP? If so, wrapped in  an <EntitiesDescriptor>
> element?

Yes and yes. For two IDPs you might as well just add two
MetadataProvider elements referencing two files. Whatever suits you.

> 		<ApplicationOverride id="Default Web Site" entityID="https://test.mycompany.com" />

I see no reason for that, so remove it.

-peter

More information about the users mailing list