Forwarding to IDPs based on email domain of user

Sean Flannery sean.flannery at wundermanthompson.com
Fri Aug 13 20:34:08 UTC 2021 

Hello,

My org has used Shib SP for some time, going to multiple IDPs.

A change will happen where users with a particular set of email domains will be removed from our main IDP, but we still need to authenticate them.

Is there a way, with SAML, to forward a user to a preferred IDP based on the user's email address?



More Info:

Our first thought was to setup a shibboleth IDP that looks at the email domain of the user and, if its one of the domains not supported by the main IDP anymore, this shibboleth IDP authenticates the user against LDAP. But, if domain is in the main IDP, this Shibboleth IDP forwards, through SAMLProxying or Federation (or something?), the user to the main IDP.

In short, we want the main IDP to continue to be the preferred IDP for all the domains it services, and the new IDP to only handle the domains that the main one doesn't cover.

I'm having a hard time finding info on how you would accomplish that with SAML.

Most the stuff I'm finding seems to solve it by the URLs, where you have users of the main IDP go to, say, "https://internal.oursite.com" but users of the other IDP go to "https://external.oursite.com". We would prefer to keep URLs the same and instead base it off email domain if thats possible.

Any help would be appreciated.

Sean


Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of WPP 2005 Ltd. shall be understood as neither given nor endorsed by it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210813/3d0bb7b1/attachment.htm>

More information about the users mailing list