IdP gateway

Tue Apr 19 04:56:34 EDT 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19-04-16 06:27, Stefano Zanmarchi wrote:
> Thank you very much Eric for your clear and thorough explanation! 
> In addition to SimpleSAMLphp and its MultiAuth authentication
> module, which I will surely take a look at, do you know of any
> other mature IdP proxy implementation?
> 

You could also take a look at OpenConext (https://www.openconext.org &
https://github.com/openconext) which will give you a IdP proxy with
additional features like attributes aggregation, AuthZ handling, Group
management, statistics and some other bells and whistles..

We use this in our production federation to take care of some 50
million transactions yearly.

Cheers,
Niels

> On Tue, Apr 19, 2016 at 1:40 AM, Eric Goodman
> <Eric.Goodman at ucop.edu <mailto:Eric.Goodman at ucop.edu>> wrote:
> 
> An IdP Proxy looks exactly like an IdP, kind of in the same way an 
> http proxy looks exactly like an http server. So yes, it’s easy to 
> do on the SP side. ____
> 
> __ __
> 
> The Proxy will have its own unique entityID, so you would have to
> do the proper metadata exchange between the Proxy and the SP (as
> you would for any IdP) but the interop is no different for Proxy as
> it would be for a normal IdP. Also, the Proxy looks like an SP when
> it talks to the source IdPs, so you need to exchange metadata
> there too. ____
> 
> __ __
> 
> Source IdPs <==> SP [one side of Proxy; other side of Proxy] IdP
> <==> Client SP____
> 
> __ __
> 
> The arrows are SAML conversation paths, and also where you need 
> metadata/configuration exchange.____
> 
> __ __
> 
> --- Eric ____
> 
> __ __
> 
> *From:*users [mailto:users-bounces at shibboleth.net 
> <mailto:users-bounces at shibboleth.net>] *On Behalf Of *Stefano
> Zanmarchi *Sent:* Monday, April 18, 2016 11:17 AM *To:* Shib Users 
> *Subject:* RE: IdP gateway____
> 
> __ __
> 
> Thank you for the answers. @Eric: it wouldn't be an issue, but I
> was wondering: can the SP easily be configured to "point to" an IdP
> proxy instead of and IdP or yo a Discovery Service?____
> 
> Il 18/apr/2016 19:31, "Eric Goodman" <Eric.Goodman at ucop.edu 
> <mailto:Eric.Goodman at ucop.edu>> ha scritto:____
> 
> This can be done using an IdP Proxy. SimpleSamlPhp is one product 
> you can use for this purposes. It has hooks for doing what you 
> describe, but there would be custom coding required.____
> 
> ____
> 
> The approach assumes you have a process to populate and maintain
> the extra information (e.g., entitlements) for users from all of
> the IdPs for the proxy to pull information from. The Proxy doesn’t
> help at all with managing that extra information, it just offers a 
> mechanism for “post processing” the SAML responses and injecting 
> information before the SP gets the SAML response. ____
> 
> ____
> 
> Using an IdP Proxy approach, the SP sees all the attributes as 
> coming from the IdP Proxy, not from the original source IdPs, so 
> it’s not “transparent” to the SP in that sense. It’s not clear
> from your description whether or not that would cause an issue for
> you. ____
> 
> ____
> 
> --- Eric____
> 
> ____
> 
> *From:*users [mailto:users-bounces at shibboleth.net 
> <mailto:users-bounces at shibboleth.net>] *On Behalf Of *Stefano
> Zanmarchi *Sent:* Monday, April 18, 2016 7:23 AM *To:* Shib Users 
> *Subject:* IdP gateway____
> 
> ____
> 
> Hi all,____
> 
> I'm looking for an IdP gateway with the ability to add attributes
> to those received from an  IdP.____
> 
> The scenario I'd like to achieve is:____
> 
> - the user clicks on the SP's login button____
> 
> - she gets redirected to the IdP gateway____
> 
> - the IdP gateway presents the user with a list of IdPs she can 
> chose from____
> 
> - the user selects an IdP and authenticates____
> 
> - upon succesful authentication the gateway returns the user to
> the SP adding some attributes (e.g. an entitlement).____
> 
> Has something like this already been implemented, possibly open 
> source? Any information would be greatly appreciated.____
> 
> Thanks,____
> 
> Stefano____
> 
> 
> -- To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net 
> <mailto:users-unsubscribe at shibboleth.net>____
> 
> 
> -- To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net 
> <mailto:users-unsubscribe at shibboleth.net>
> 
> 
> 
> 

- -- 
Niels van Dijk        Technical Product Manager Trust & Security
Mob: +31 651347657  |   Skype: cdr-80  |  PGP Key ID: 0xDE7BB2F5
SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands
www.surfnet.nl                                www.openconext.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJXFfLCAAoJECCFeCvee7L1fvsQAJxfSStvkeqBj7KErdHIGfIF
QqjPkO50wqW6K+3sbgRuj3LL3qvSEtJgXVV8AAHIgSmnjuByG8ncAXp2abzLvlsF
C5/bUJStf5nfR56s7GGxBLrv7i/bawDsNYrJa18Ukz+EJHAS2BZOYhEKjmP8Z8If
uG8ZRc5PEvzNxn8xkGsjFH0jMbTp/BSx89MoXvFPwDUcL0ehPrED+TarrB4cCze0
QbbBJ2wIJ5+BEHyfson3FbKoSdv1sCt+FFc6DaW95DIIfLF36YvfgC9IzA/9pocH
H09uLy6mqH70zp5ukRumWfsNUAFuyHRpZKeMxPkTMPquhwe+4Lpr+caQDA99UQAM
jNViubBsvDY5sdXCXtAIIxDM2sVbSGq1ldWe43MSKEyji+Tqyl8f3nH2Zluz88M3
U/eQFdicDDTRVKPQLjFV6LTmtka+AwD0bNvFPwe49N5xM+HKVTHsg+J8Gz7IjXUH
scr8Nk6kYqc0Gs39JIKM6BKU7RCRfm+6OXx2T5HelfkF1Ft3bp684DfqQI04IsIa
826hUDmOlXGQfdfu8gg2Rjl8Jb1Xoex5B2IHMKnmK/O0mx0iJxOJFH12b/b79Zxq
4cbem/XLxRIJHOhPP+lspEYP39m2SSThnEY+2VsyhLqfgKnPbRv4VLhGwslFOxY0
klGzaiKRsdomqDWZznfb
=aXww
-----END PGP SIGNATURE-----