Auto-detect and forward to IDP?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Auto-detect and forward to IDP?

Jason B. Rappaport

Hello Shibboleth community! 

 

We are trying to figure out if the following is possible behavior by an SP. 

 

Background:

We run our PeopleSoft environment behind a web proxy that handles authentication via Shibboleth SP and communicates to our production Shibboleth IDP.  When one logs into PeopleSoft, a primary page loads (site A) that contains (for lack of a better descriptor) includes from other sites (sites B and C).  Sites B and C are protected by our Shibboleth SP, so for the content to load it hits our Shibboleth IDP seamlessly and the content loads without anyone knowing that three assertions occurred (sites A, B, and C).  This behavior works great today.

 

Is this possible?

What we would like to do on initial login is have the SP present two IDP to select from; i.e. a chooser.  The user would then select, and the SP would send them to the appropriate IDP and the behavior described above would proceed.  The issue we are running into, is when sites B and C load, is they are going to the chooser and not loading the content as described above when we have a single IDP in the mix. So the question is, is it possible for the SP to detect what IDP was selected initially so that all subsequent requests from site B and C are directed to the IDP selected?  If this is possible how?  If this is not possible, is there a another alternative we should be considering? 

 

 

Thanks, Jay

________________________________

Jason Rappaport

Identity and Access Management Analyst

Office of Information Technology

Email:  [hidden email]

Office:  609-258-8464

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Auto-detect and forward to IDP?

Peter Schober
* Jason B. Rappaport <[hidden email]> [2019-12-12 14:30]:
> If this is not possible, is there a another alternative we should be
> considering?

If it's acceptable to avoid referencing remote protected content
(e.g. by hosting a local copy or rephrasing some text or changing
links to open external stuff in new windows/tabs, etc.) that would be
my first choice as it makes all issues you metioned dissapear.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Auto-detect and forward to IDP?

Peter Schober
In reply to this post by Jason B. Rappaport
* Jason B. Rappaport <[hidden email]> [2019-12-12 14:30]:
> What we would like to do on initial login is have the SP present two IDP to
> select from; i.e. a chooser.  The user would then select, and the SP would
> send them to the appropriate IDP and the behavior described above would
> proceed.  The issue we are running into, is when sites B and C load, is they
> are going to the chooser and not loading the content as described above when
> we have a single IDP in the mix. So the question is, is it possible for the
> SP to detect what IDP was selected initially so that all subsequent requests
> from site B and C are directed to the IDP selected?

The "chooser" (IDP Discovery Service) may also have that ability,
leaving the above flow in place (i.e., access to sites B and C would
still up beint sent to the "chooser") but making it
transparent/automatic to continue on to the IDP.

That has its own drawback as it then becomes hard/impossible to ever
chose a different IDP, which begs the question why have that chooser
in the first place if your browser is then "locked" to a certain IDP.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]