IdP gateway

Eric Goodman Eric.Goodman at
Mon Apr 18 13:30:58 EDT 2016

This can be done using an IdP Proxy. SimpleSamlPhp is one product you can use for this purposes. It has hooks for doing what you describe, but there would be custom coding required.

The approach assumes you have a process to populate and maintain the extra information (e.g., entitlements) for users from all of the IdPs for the proxy to pull information from. The Proxy doesn’t help at all with managing that extra information, it just offers a mechanism for “post processing” the SAML responses and injecting information before the SP gets the SAML response.

Using an IdP Proxy approach, the SP sees all the attributes as coming from the IdP Proxy, not from the original source IdPs, so it’s not “transparent” to the SP in that sense. It’s not clear from your description whether or not that would cause an issue for you.

--- Eric

From: users [mailto:users-bounces at] On Behalf Of Stefano Zanmarchi
Sent: Monday, April 18, 2016 7:23 AM
To: Shib Users
Subject: IdP gateway

Hi all,
I'm looking for an IdP gateway with the ability to add attributes to those received from an  IdP.
The scenario I'd like to achieve is:
- the user clicks on the SP's login button
- she gets redirected to the IdP gateway
- the IdP gateway presents the user with a list of IdPs she can chose from
- the user selects an IdP and authenticates
- upon succesful authentication the gateway returns the user to the SP adding some attributes (e.g. an entitlement).
Has something like this already been implemented, possibly open source? Any information would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list