Is SAML Proxying to another IdP for specific SP's possible?
cantor.2 at osu.edu
Fri Aug 6 12:39:07 UTC 2021
On 8/6/21, 2:57 AM, "users on behalf of Anthony K" <users-bounces at shibboleth.net on behalf of ak.shib at anroet.com> wrote:
> Say I have an IdP serving multiple Service Providers - Is it possible to perform SAML Proxying to another IdP
> for a few select SP's? I'm busy searching but also asking here as a short circuit.
That depends greatly on the larger set of behaviors you're trying to mix together, other login methods, etc.
Generally using the MFA flow to script the choices is the most direct way to get whatever outcome you want in every case and any IdP not using the MFA flow is pretty much a toy at this point anyway.
Normally method selection is handled with AuthnContextClassRefPrincipal objects attached to login flows and to relying party overrides to force selection of specific methods but that gets hairy with proxying because there's also the communication of the actual authentication context from the proxied IdP to deal with and express.
More information about the users