IdP gateway

Eric Goodman Eric.Goodman at
Mon Apr 18 19:40:38 EDT 2016

An IdP Proxy looks exactly like an IdP, kind of in the same way an http proxy looks exactly like an http server. So yes, it’s easy to do on the SP side.

The Proxy will have its own unique entityID, so you would have to do the proper metadata exchange between the Proxy and the SP (as you would for any IdP) but the interop is no different for Proxy as it would be for a normal IdP. Also, the Proxy looks like an SP when it talks to the source IdPs, so you need to exchange metadata there too.

                Source IdPs <==> SP [one side of Proxy; other side of Proxy] IdP <==> Client SP

The arrows are SAML conversation paths, and also where you need metadata/configuration exchange.

--- Eric

From: users [mailto:users-bounces at] On Behalf Of Stefano Zanmarchi
Sent: Monday, April 18, 2016 11:17 AM
To: Shib Users
Subject: RE: IdP gateway

Thank you for the answers.
@Eric: it wouldn't be an issue, but I was wondering: can the SP easily be configured to "point to" an IdP proxy instead of and IdP or yo a Discovery Service?
Il 18/apr/2016 19:31, "Eric Goodman" <Eric.Goodman at<mailto:Eric.Goodman at>> ha scritto:
This can be done using an IdP Proxy. SimpleSamlPhp is one product you can use for this purposes. It has hooks for doing what you describe, but there would be custom coding required.

The approach assumes you have a process to populate and maintain the extra information (e.g., entitlements) for users from all of the IdPs for the proxy to pull information from. The Proxy doesn’t help at all with managing that extra information, it just offers a mechanism for “post processing” the SAML responses and injecting information before the SP gets the SAML response.

Using an IdP Proxy approach, the SP sees all the attributes as coming from the IdP Proxy, not from the original source IdPs, so it’s not “transparent” to the SP in that sense. It’s not clear from your description whether or not that would cause an issue for you.

--- Eric

From: users [mailto:users-bounces at<mailto:users-bounces at>] On Behalf Of Stefano Zanmarchi
Sent: Monday, April 18, 2016 7:23 AM
To: Shib Users
Subject: IdP gateway

Hi all,
I'm looking for an IdP gateway with the ability to add attributes to those received from an  IdP.
The scenario I'd like to achieve is:
- the user clicks on the SP's login button
- she gets redirected to the IdP gateway
- the IdP gateway presents the user with a list of IdPs she can chose from
- the user selects an IdP and authenticates
- upon succesful authentication the gateway returns the user to the SP adding some attributes (e.g. an entitlement).
Has something like this already been implemented, possibly open source? Any information would be greatly appreciated.

To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list