Multiple LDAP domains on the same IDP

Peter Schober peter.schober at
Fri Oct 25 07:55:40 EDT 2019

* D'alessio Adriano <Adriano.Dalessio at> [2019-10-25 13:34]:
> *         The users are not the same on domain A and domain B
> *         The users from domain B can't be transferred into domain A and vice versa and have to be separated
> *         The SP will be used by users from both domains

The main criterion should be (and I'm not sure your above liste was
intended to specify this or not) whether userids are either guaranteed
to be mutually exclusive to each domain, or -- where the same userid
may exist in both domains -- that at least it represents the same
person (though that may still cause issues with differing passwords
for the two accounts).

Another way of avoiding this issue would be forcing users to enter
scoped userids during login which would give you the LDAP server to
look them up in in the domain part. (Of course if you're not doing
that already you shouldn't start doing it now.)

There's also the question of multiple MS-AD domains in a "forest" (?)
where you can authenticate accounts in multiple domains using a single
LDAP configuration. But I know nothing about MS.

> What are your recommendations for this? Having 2 IDP or having
> different ldap configurations on the existing IDP (if that's
> possible at all for our need ?)

Of course you'd avoid standing up a second IDP (to maintain, secure,
etc.) unless it's absolutely necessary.
The above doesn't sound to me as it would be necessary but the
information presented may not be sufficient to determine that yet.


More information about the users mailing list