Peter Schober peter.schober at
Mon Mar 12 08:38:30 EDT 2018

* jtroschke <jtroschke at> [2018-03-12 08:50]:
> Thank you for your prompt reply
> OK, so I'm on the wrong track. 
> I  found
> "Here are some use cases that usually do NOT require an additional
> application be defined:
>     use of a particular IdP or discovery service based on the resource"

The most powertful model and at the same time easiest (with the
Shibboleth SP) is to just use the same entityID (and possibly
hostname) for all IDPs, i.e., no application overrides.
That enables multi-party "federation", not merely "multi-tenancy", and
all IDPs can use the same, i.e., "your", SAML Metadata.

Who can access what resource is completely independent from metadata
and session initiation, and should be part of access control. With
SAML obviously based on attributes, i.e. ABAC.


More information about the users mailing list