Multiple Active Directories

Losen, Stephen C (scl) scl at
Wed May 22 05:57:49 EDT 2019


Sounds like you want to do something similar to what we are doing.

We have two AD domains (Academic and Health System) and a third "IAM" LDAP server for password verification.  We are using IDP Password auth with JAAS and LDAP.  We verify passwords by binding to the three LDAP services in sequence until success. The bind uses the username and password from the login page (the IDP does not bind with its own credentials and then verify using a password attribute in the user record).

Our login page is designed to use "bare" usernames.  In fact the Password flow strips off any domain info from the username, which must be a sequence of alphas, digits, dashes, or underscores.  Each JAAS LDAP config adds back whatever decoration is required to bind to that particular LDAP service.

Our usernames are centrally managed, so foo at domain1 and foo at domain2 refer to the same person. If you have username collisions across your two domains, where foo at domain1 and foo at domain2 are different users, then that certainly complicates things for you.

Steve Losen
ITS - Enterprise Infrastructure
University of Virginia
scl at<mailto:scl at>    434-924-0640

From: users <users-bounces at> On Behalf Of Michael A Grady
Sent: Tuesday, May 21, 2019 6:42 PM
To: Shib Users <users at>
Subject: Re: Multiple Active Directories

On May 21, 2019, at 5:28 PM, Peter Schober <peter.schober at<mailto:peter.schober at>> wrote:

* Myn Harry <mynharry at<mailto:mynharry at>> [2019-05-21 21:47]:

Is there a way in Shibboleth to bind against both Active Directories for
authentications? Try College A, and next College B, for successful bind?

Note that unless you know that userids/netids (whatever subjects enter
during authen on your IDPs login page) are unique across both
directories that's potentially insecure.

(Only) If subjects are already forced to enter domain-qualified
userids (e.g. user at<mailto:user at>) during login would that be safe.


Yes, if your namespaces are going to overlap, such that the username the users fill in is not unique between the 2 directories, another alternative to consider is to use the Unicon SplitAuthn extension, but then the user needs to choose which they want to use on the Login page. Or some similar approach. See:

That approach allows for tying the attribute source to the authentication source, so only one directory is accessed for both, based on the "realm" chosen by the user.

Or, as Peter suggests, make them enter domain-qualified userids as the username in the first place.

p.s. It is now being used with 3.4.x releases, so it will work with 3.4.x, need to get that page updated.

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list