Shibboleth IDP 3 configure different Authentication flows for SPs

[Cantor, Scott]

On 8/23/16 9:03 AM, Juan Quintanilla wrote:
> 
> We currently have shibboleth idp 3 using JAAS and wanted to know if its
> possible to configure an SP to use a specific authentication flow. For
> example if we have 2 SPs configured and want SP A to authenticate to
> LDAP and SP B authenticate to AD is that doable?  If so what would be
> the best approach to accomplish this and does anyone have any examples?

There's really no simple way in 3.2. It will be trivial in 3.3. Doing it
now without duplicating flows would probably be done by copying the
enhancements I did in 3.3 [1] for the JAAS back-end action bean in Java,
basically either patching that class and config changes or copying the
code and substituting the copied class in as a substitute back-end. I
outlined how that substitution pattern works in the Password
configuration wiki topic under alternative back-ends.

What you're talking about would be much more work. Different *flows*
means you'd have to build your own second flow by copying an existing
one completely.

-- Scott

[1] The change was basically to allow a Function to be plugged in that
returns the right JAAS config name to apply based on the state of the
request (i.e. which SP it is).