Forwarding to IDPs based on email domain of user

Nate Klingenstein ndk at
Fri Aug 13 21:04:31 UTC 2021


This is a tough question, because:

> Is there a way, with SAML, to forward a user to a preferred IDP based on the user's email address?

There is no standard way in SAML to signal that a particular domain is associated with a particular IdP.  Metadata instead focuses on associating entities with organizations.

In Shibboleth, the story gets more complicated.  The shibmd:Scope element enumerates the domains for which an IdP is considered authoritative.  An SP can consider multiple IdP's to be authoritative for the same domain.  However, even Shibboleth uses this mainly for filtering of attribute scopes on return.

But, with Shibboleth, you could set up a proxy IdP like you suggested(specifically, using the MFA flow to route the user to Password authentication or SAML authentication depending on the email domain).   This IdP would be declared authoritative for all domains under its purvey, and it avoids the need for multiple URL's, but there is no good way to signal to SP's that either IdP, or any IdP for that matter is authoritative for a particular domain.

Take care,

More information about the users mailing list