Multiple authentication domains mapping to different user repositories

Cantor, Scott cantor.2 at
Wed Apr 26 18:43:17 EDT 2017

On 4/26/17, 6:25 PM, "users on behalf of Florin Stingaciu" <users-bounces at on behalf of florin.stingaciu at> wrote:

> I have worked in the past with some proprietary IDPs that support this feature out of the box. Maybe I've been spoiled. Any help
> or direction in trying to solve for this use case would be highly appreciated. If the shibboleth IDP doesn't support this,

It supports it if you create custom login flows and customized attribute resolution configuration to do what you want. There are numerous hooks throughout the source code to facilitate doing it without writing code, but it requires Spring WebFlow expertise and I doubt anybody but me could do it in any reasonable amount of time. I can alude to various bits and pieces of it, but without the Spring WebFlow understanding, it wouldn't mean much.

I can't give you any documentation on it. If you wanted to support the project financially, then obviously I'd probably have a different perspective on writing that documentation, but it's not happening for free.

On the resolver end of things, you have basically all the control you need. If you want to control data connector behavior you can attach scripted condition beans that limit when they get used based on the authenticated subject, and that's probably most of what's needed on that end of things.

My general answer? You should use two IdPs. It's a bad trade off to take a problem that's simple to solve with two and try and solve it by building a complicated and brittle configuration for one.

-- Scott

More information about the users mailing list