IDP proxing for vendors non-DS/Wayf capabilities
jehan.procaccia at tem-tsp.eu
Fri Jan 29 16:23:54 UTC 2021
I recently echange here about my experiences on shibboleth IDP4 with DocuSign SP (cf my howto: [ https://www-public.imtbs-tsp.eu/~procacci/dok/doku.php?id=docpublic:systemes:shibboleth:docusign | https://www-public.imtbs-tsp.eu/~procacci/dok/doku.php?id=docpublic:systemes:shibboleth:docusign ] )
I noticed that usually SP vendors don't provide Discocery Service/WAYF SP initiated SSO (has we are used in academic/reserch ecosystem)
so they ask us to register as many IDP as we have universities/school in ou group of federated IDPs .
I came accross those pages:
[ https://spaces.at.internet2.edu/display/GS/SAMLIdPProxy | https://spaces.at.internet2.edu/display/GS/SAMLIdPProxy ] (quite old, I guess I should stick with the 1rst one ...)
Do you think that's a right choice to circumvent the lack of DS/WAYF , by registering only One proxied IDP to the vendor SP and let that proxied IDP do the job to delegate authN to our locals federation end users IDPs ?
Or would it be better/simpler to present to the vendor SP only One IDP that has access to each schools end users referentials (ldap)
[ https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration#LDAPAuthnConfiguration-MultipleDirectories | https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration#LDAPAuthnConfiguration-MultipleDirectories ] (I guess it works also in IDPv4)
I'am at the starting point to go into the direction of Proxy IDP or a single IDP with multiple ldap directories, which would be a better choice ?
thanks for you advice .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users