<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">You should look at the Swedish ID-Proxy:<div class=""><a href="https://github.com/its-dirg/IdProxy" class="">https://github.com/its-dirg/IdProxy</a></div><div class=""><br class=""></div><div class="">It gives you OIDC in addition to SAML.</div><div class=""><br class=""></div><div class="">- Rainer<br class=""><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">Am 19.04.2016 um 06:27 schrieb Stefano Zanmarchi <<a href="mailto:zanmarchi@gmail.com" class="">zanmarchi@gmail.com</a>>:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Thank you very much Eric for your clear and thorough explanation!<div class="">In addition to <span style="font-size:12.8px" class="">SimpleSAMLphp and its MultiAuth authentication module, which I will surely take a look at, do you know of any other mature IdP proxy implementation?</span></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, Apr 19, 2016 at 1:40 AM, Eric Goodman <span dir="ltr" class=""><<a href="mailto:Eric.Goodman@ucop.edu" target="_blank" class="">Eric.Goodman@ucop.edu</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple" class="">
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">An IdP Proxy looks exactly like an IdP, kind of in the same way an http proxy looks exactly like an http server. So yes, it’s easy to do on the SP side.
<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">The Proxy will have its own unique entityID, so you would have to do the proper metadata exchange between the Proxy and the SP (as you would for any IdP) but
the interop is no different for Proxy as it would be for a normal IdP. Also, the Proxy looks like an SP when it talks to the source IdPs, so you need to exchange metadata there too.
<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> Source IdPs <==> SP [one side of Proxy; other side of Proxy] IdP <==> Client SP<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">The arrows are SAML conversation paths, and also where you need metadata/configuration exchange.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">--- Eric
<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> users [mailto:<a href="mailto:users-bounces@shibboleth.net" target="_blank" class="">users-bounces@shibboleth.net</a>]
<b class="">On Behalf Of </b>Stefano Zanmarchi<br class="">
<b class="">Sent:</b> Monday, April 18, 2016 11:17 AM<br class="">
<b class="">To:</b> Shib Users<br class="">
<b class="">Subject:</b> RE: IdP gateway<u class=""></u><u class=""></u></span></p><div class=""><div class="h5"><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p class="">Thank you for the answers.<br class="">
@Eric: it wouldn't be an issue, but I was wondering: can the SP easily be configured to "point to" an IdP proxy instead of and IdP or yo a Discovery Service?<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">Il 18/apr/2016 19:31, "Eric Goodman" <<a href="mailto:Eric.Goodman@ucop.edu" target="_blank" class="">Eric.Goodman@ucop.edu</a>> ha scritto:<u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">This can be done using an IdP Proxy. SimpleSamlPhp is one product you can use for this purposes.
It has hooks for doing what you describe, but there would be custom coding required.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">The approach assumes you have a process to populate and maintain the extra information (e.g., entitlements)
for users from all of the IdPs for the proxy to pull information from. The Proxy doesn’t help at all with managing that extra information, it just offers a mechanism for “post processing” the SAML responses and injecting information before the SP gets the
SAML response. </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Using an IdP Proxy approach, the SP sees all the attributes as coming from the IdP Proxy, not from
the original source IdPs, so it’s not “transparent” to the SP in that sense. It’s not clear from your description whether or not that would cause an issue for you.
</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">--- Eric</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> users [mailto:<a href="mailto:users-bounces@shibboleth.net" target="_blank" class="">users-bounces@shibboleth.net</a>]
<b class="">On Behalf Of </b>Stefano Zanmarchi<br class="">
<b class="">Sent:</b> Monday, April 18, 2016 7:23 AM<br class="">
<b class="">To:</b> Shib Users<br class="">
<b class="">Subject:</b> IdP gateway</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">Hi all,<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">I'm looking for an IdP gateway with the ability to add attributes to those received from an IdP.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">The scenario I'd like to achieve is:<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">- the user clicks on the SP's login button<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">- she gets redirected to the IdP gateway<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">- the IdP gateway presents the user with a list of IdPs she can chose from<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">- the user selects an IdP and authenticates<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">- upon succesful authentication the gateway returns the user to the SP adding some attributes (e.g. an entitlement).<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">Has something like this already been implemented, possibly open source? Any information would be greatly appreciated.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">Thanks,<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">Stefano<u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div><p class="MsoNormal"><br class="">
--<br class="">
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" target="_blank" class="">
users-unsubscribe@shibboleth.net</a><u class=""></u><u class=""></u></p>
</div>
</div></div></div>
</div>
<br class="">--<br class="">
To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" class="">users-unsubscribe@shibboleth.net</a><br class=""></blockquote></div><br class=""></div>
-- <br class="">To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net" class="">users-unsubscribe@shibboleth.net</a></div></blockquote></div><br class=""></div></div></body></html>