IdP gateway

[Stefano Zanmarchi]

Thank you very much Eric for your clear and thorough explanation!
In addition to SimpleSAMLphp and its MultiAuth authentication module, which
I will surely take a look at, do you know of any other mature IdP proxy
implementation?

On Tue, Apr 19, 2016 at 1:40 AM, Eric Goodman <Eric.Goodman at ucop.edu> wrote:

> An IdP Proxy looks exactly like an IdP, kind of in the same way an http
> proxy looks exactly like an http server. So yes, it’s easy to do on the SP
> side.
>
>
>
> The Proxy will have its own unique entityID, so you would have to do the
> proper metadata exchange between the Proxy and the SP (as you would for any
> IdP) but the interop is no different for Proxy as it would be for a normal
> IdP. Also, the Proxy looks like an SP when it talks to the source IdPs, so
> you need to exchange metadata there too.
>
>
>
>                 Source IdPs <==> SP [one side of Proxy; other side of
> Proxy] IdP <==> Client SP
>
>
>
> The arrows are SAML conversation paths, and also where you need
> metadata/configuration exchange.
>
>
>
> --- Eric
>
>
>
> *From:* users [mailto:users-bounces at shibboleth.net] *On Behalf Of *Stefano
> Zanmarchi
> *Sent:* Monday, April 18, 2016 11:17 AM
> *To:* Shib Users
> *Subject:* RE: IdP gateway
>
>
>
> Thank you for the answers.
> @Eric: it wouldn't be an issue, but I was wondering: can the SP easily be
> configured to "point to" an IdP proxy instead of and IdP or yo a Discovery
> Service?
>
> Il 18/apr/2016 19:31, "Eric Goodman" <Eric.Goodman at ucop.edu> ha scritto:
>
> This can be done using an IdP Proxy. SimpleSamlPhp is one product you can
> use for this purposes. It has hooks for doing what you describe, but there
> would be custom coding required.
>
>
>
> The approach assumes you have a process to populate and maintain the extra
> information (e.g., entitlements) for users from all of the IdPs for the
> proxy to pull information from. The Proxy doesn’t help at all with managing
> that extra information, it just offers a mechanism for “post processing”
> the SAML responses and injecting information before the SP gets the SAML
> response.
>
>
>
> Using an IdP Proxy approach, the SP sees all the attributes as coming from
> the IdP Proxy, not from the original source IdPs, so it’s not “transparent”
> to the SP in that sense. It’s not clear from your description whether or
> not that would cause an issue for you.
>
>
>
> --- Eric
>
>
>
> *From:* users [mailto:users-bounces at shibboleth.net] *On Behalf Of *Stefano
> Zanmarchi
> *Sent:* Monday, April 18, 2016 7:23 AM
> *To:* Shib Users
> *Subject:* IdP gateway
>
>
>
> Hi all,
>
> I'm looking for an IdP gateway with the ability to add attributes to those
> received from an  IdP.
>
> The scenario I'd like to achieve is:
>
> - the user clicks on the SP's login button
>
> - she gets redirected to the IdP gateway
>
> - the IdP gateway presents the user with a list of IdPs she can chose from
>
> - the user selects an IdP and authenticates
>
> - upon succesful authentication the gateway returns the user to the SP
> adding some attributes (e.g. an entitlement).
>
> Has something like this already been implemented, possibly open source?
> Any information would be greatly appreciated.
>
> Thanks,
>
> Stefano
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160419/3264a688/attachment.html>