Proxy IdP hybrid question local and remote IdPs
Mak, Steve
makst at upenn.edu
Tue Sep 8 23:48:14 UTC 2020
Hi all.
I'm trying to figure out how to solve the following use case:
For a specific SP we need to present users with the ability to choose either my IdP or a remote IdP for authentication. (preferably at the authn/Password view step)
We don't control the SP so we can't force discovery at the SP level at this time.
I've figured out how to setup proxy IdP for 1 SP using
- filter with xsi:type=Issuer
- resolver SubjectDerivedAttribute with a Subject DataConnector
- mfa script to route to authn/SAML for the SP and bypass 2FA
- set the optional SAML.discoveryFunction to the 1 IdP we'll use
- activated the c14n/attribute flow
- set my c14n.attribute.AttributesToResolve and SourceIds to the resolver SubjectDerived id
This appears to have the side effect of causing c14n/attribute to run for ALL authn flows, not just authn/SAML unless I create an activationCondition script to bypass c14n/attribute conditionally. I also notice that before it did not attempt to canonicalize after authn/Password, but now it does. While I don't really mind the extra log lines, I'm worried that I did something wrong.
Questions:
1. Did I do this correctly? I was hoping c14n/simple would still be chosen for my other SPs.
2. I don't see an ability to use my IdP vs remote IdP for a single SP, is proxy intended for this?
3. Is Proxy IdP intended to be used in a hybrid c14n context?
Thank you,
Steve Mak
More information about the users
mailing list