PingOne SSO cloud integrations

Peter Schober peter.schober at univie.ac.at
Tue Jan 28 12:49:03 EST 2020


* Schwendner, Joanne <joanne_schwendner at brown.edu> [2020-01-28 18:01]:
> Recently we have had several different vendors present us with the same
> metadata that they generated from this product -- the VERY SAME for all
> vendors.  Apparently the SP metadata they get when they set up an
> integration uses the very same ACS endpoints and logout endpoints, and the
> very same signing/encryption cert.  A couple even had the same Entity ID.
> (I turned those back.)

Well, with endpoints, keys and entityIDs being the same that just
tells me in no uncertain terms it's just a single SP.  Which would be
fine as long as the policy requirements (attribute release, strong
authentication, etc.) for everything behind that one SP were
sufficiently similar -- and of course the SP doesn't run into trouble
tracking just to what service I actually wanted to log in at any given
point.

I'm guessing the first condition may or may not be satisfied across
the products having chosen this SAML outsourcing service. The latter
condition -- the SP itself being fine with it -- already seems to have
failed since you wrote:

> PingOne sorts them out using that Entity ID, and directs them to the
> correct tenant.

So if they confuse themselfs by allowing duplicate entityIDs among
their tenants, well, nothing good can come from that.

-peter


More information about the users mailing list