Forwarding to IDPs based on email domain of user

Nate Klingenstein ndk at signet.id
Sat Aug 14 03:31:14 UTC 2021 

Sean,

The real trouble you'll face is that SP's typically make the query for the email address/domain themselves because they're handling large client bases and using that for discovery in general, not just your specific case.  The results of that turn into a metadata lookup on their end and the initiation of an SSO request.  By that point, the email address has been discarded.  There are plausible ways for the SP to send the email address as a hint to the IdP, but not without interfering with other functionality in a messy way or really extending things, which most vendors will certainly not want to do.  This is one of the ways wsignin is better than SAML.

It's more likely that you would have to ask the user for their address twice following your approach using SAML.  That's obviously suboptimal from a user experience point of view, and is why you may want to go back to the architectural drawing board than try to "just make it work" this.

It's unfortunate that things ended up this way.  I argued for DNS records that could point towards metadata for IdP's or SP's for domains/FQDN's once upon a time, but eventually lost for legitimate reasons.  I still kinda wish I hadn't.

Best wishes,
Nate

--------
Signet, Inc.
The Art of Access ®

https://www.signet.id

On Sat, Aug 14, 2021 at 2:17 AM Sean Flannery <sean.flannery at wundermanthompson.com> wrote:

    Hey Peter,

    Thanks for the response.

    Yes, we thought / assumed the user would have to enter their email address first, for the system to know which IDP to use. Our users would be fine with this as the vendor services we use already implement this kind of flow (they have to enter email, to get the right login screen).

    So we thought (perhaps naively), that our SP could point to this one IDP that performs this function- it asks the email of the user and then either performs LDAP auth on the user or forwards them to the upstream IDP if their domain is supported by it.

    ...I think I understand what you are saying with the entityIDs and discovery services but my understanding is that those services allow the user to select the IDP, where we want this to be a silent, background choice the system makes; it routes you to the correct IDP based on the email domain you entered.

    Thanks again



    From: users <users-bounces at shibboleth.net> on behalf of Peter Schober <peter.schober at univie.ac.at>
    Sent: Friday, August 13, 2021 6:17 PM
    To: users at shibboleth.net <users at shibboleth.net>
    Subject: Re: Forwarding to IDPs based on email domain of user
     
    This Message Is >From an External Sender
    This message came from outside your organization.


    Original Message Attached
    -- 
    For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 


-----Original message-----
From: Sean Flannery
Sent: Saturday, August 14 2021, 2:17 am
To: users at shibboleth.net
Subject: Re: Forwarding to IDPs based on email domain of user

Hey Peter,

Thanks for the response.

Yes, we thought / assumed the user would have to enter their email address first, for the system to know which IDP to use. Our users would be fine with this as the vendor services we use already implement this kind of flow (they have to enter email, to get
 the right login screen).

So we thought (perhaps naively), that our SP could point to this one IDP that performs this function- it asks the email of the user and then either performs LDAP auth on the user or forwards them to the upstream IDP if their domain is supported by it.

...I think I understand what you are saying with the entityIDs and discovery services but my understanding is that those services allow the user to select the IDP, where we want this to be a silent, background choice the system makes; it routes you to the correct
 IDP based on the email domain you entered.

Thanks again

-----------

From: users <users-bounces at shibboleth.net> on behalf of Peter Schober <peter.schober at univie.ac.at>

Sent: Friday, August 13, 2021 6:17 PM

To: users at shibboleth.net <users at shibboleth.net>

Subject: Re: Forwarding to IDPs based on email domain of user

Original Message Attached ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
 ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
 ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

Original Message Attached

--

For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list