Forwarding to IDPs based on email domain of user

Peter Schober peter.schober at
Fri Aug 13 23:17:59 UTC 2021

* Sean Flannery <sean.flannery at> [2021-08-13 22:34]:
> Is there a way, with SAML, to forward a user to a preferred IDP
> based on the user's email address?

How does the system that's supposed to do the "forwarding" get to know
the subject's email address?

Sounds to me you'd need some kind of IDP Discovery Service (or a
replacement for such a thing) that the subject will have to enter her
email address into (even if you're only interested in the domain
Some mail domains would then map to a certain entityID (and the
browser would be sent on to that IDP with an authn request; this IDP
would authenticate the subject via method A, e.g. username/email and
password against LDAP), other mail domains would map to another
entityID (and the browser be sent on to another IDP with another authn
request; that could use a similar or completely different authn method).

(The downside of such an approach would be that the subject would
first have to enter her email address to get at the right IDP and then
would possibly have to again enter her email address as part of
username/email and password-based authentication. Though the
"Discovery Service" could offer to remember previous choices in
cookies or localStorage and so the subject wouldn't have to enter her
email address every single time in order to find the right IDP.)

I don't know whether both (logical) IDPs, each with their own entityID
as determined by the IDP Discovery Service, could be run within the
same Shib IDP instance. And while one of those instances could
possibly be a SAML proxy to an upstream IDP, if you already have an
IDP selection process as described above you may even not need to be
SAML-proxying at all? Instead you'd send the subject straight to the
"upstream" IDP after having determined it's should not be the IDP that
does performs authentication after all.


More information about the users mailing list