IDP proxing for vendors non-DS/Wayf capabilities

Jehan PROCACCIA jehan.procaccia at
Fri Jan 29 16:23:54 UTC 2021

I recently echange here about my experiences on shibboleth IDP4 with DocuSign SP (cf my howto: [ | ] ) 
I noticed that usually SP vendors don't provide Discocery Service/WAYF SP initiated SSO (has we are used in academic/reserch ecosystem) 
so they ask us to register as many IDP as we have universities/school in ou group of federated IDPs . 
I came accross those pages: 
[ | ] (quite old, I guess I should stick with the 1rst one ...) 

Do you think that's a right choice to circumvent the lack of DS/WAYF , by registering only One proxied IDP to the vendor SP and let that proxied IDP do the job to delegate authN to our locals federation end users IDPs ? 

Or would it be better/simpler to present to the vendor SP only One IDP that has access to each schools end users referentials (ldap) 
[ | ] (I guess it works also in IDPv4) 

I'am at the starting point to go into the direction of Proxy IDP or a single IDP with multiple ldap directories, which would be a better choice ? 

thanks for you advice . 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list