Office 365 Multi-Domain

[Cantor, Scott]

On 7/27/20, 1:13 PM, "users on behalf of Matt Brennan" <users-bounces at shibboleth.net on behalf of brennanma at gmail.com> wrote:

>    TL;DR: Is there a guide somewhere on how to do this properly? 

Well, step one is filing a bug, because this is ridiculous.

That aside, the way to do it is:

1. Upgrade, because it's not supported In V3.
2. A responderIdLookupStrategy, in some form. I can't give you a script because I have no idea on what basis the value would be derived, but the script should NOT need to do a ton of work. It certainly does not need to resolve attributes or anything like that.
3. Configuring the context-check interceptor to signal back the event "UpdateSecurityParameters" when this needs to happen. This will cause the system to re-derive various settings, including the entityID, to update the outgoing message.

#3 is not (well) documented, it was implemented [1] at SWITCH's request as a supported way to get all the internals to update without having to mess around with them and break abstraction. It's mentioned very briefly in [2]. I'll try and put a mention of it in the context-check topic.

-- Scott

[1] https://issues.shibboleth.net/jira/browse/IDP-1238
[2] https://wiki.shibboleth.net/confluence/display/IDP4/ProfileHandling