Is SAML Proxying to another IdP for specific SP's possible?

Cantor, Scott cantor.2 at
Fri Aug 6 12:39:07 UTC 2021

On 8/6/21, 2:57 AM, "users on behalf of Anthony K" <users-bounces at on behalf of ak.shib at> wrote:

>    Say I have an IdP serving multiple Service Providers - Is it possible to perform SAML Proxying to another IdP
> for a few select SP's?  I'm busy searching but also asking here as a short circuit.

That depends greatly on the larger set of behaviors you're trying to mix together, other login methods, etc.

Generally using the MFA flow to script the choices is the most direct way to get whatever outcome you want in every case and any IdP not using the MFA flow is pretty much a toy at this point anyway.

Normally method selection is handled with AuthnContextClassRefPrincipal objects attached to login flows and to relying party overrides to force selection of specific methods but that gets hairy with proxying because there's also the communication of the actual authentication context from the proxied IdP to deal with and express.

-- Scott

More information about the users mailing list