IdP Discovery

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

IdP Discovery

dhigley
I am looking for a way use shibboleth2.xml to select the appropriate IdP without using the 'flat page' solution.  I would like to be able to do this through the configuration file, if possible.  I would also like to avoid chaining through multiple SessionInitiators as the list could be quite large.  I would also like to be able to do this without a Discovery Service.

As an example: map /my_server/foo to the foo idp and /my_server/bar to the bar idp.

Is this possible?

Thanks for the help,
DeeAnne

Reply | Threaded
Open this post in threaded view
|

Re: IdP Discovery

Nate Klingenstein
DeeAnne,

Yes, that's absolutely possible.  If you want it to happen  
automatically on access of those URL's rather than through a specially  
constructed login link, I think you'll need to create separate  
SessionInitiators with two different default IdP's.  For example:

             <SessionInitiator type="Chaining" Location="/FooIdP"  
isDefault="true" id="foo-idp"
                     relayState="cookie" entityID="https://foo.org/idp/shibboleth 
">
                 <SessionInitiator type="SAML2" acsByIndex="false"  
defaultACSIndex="1" template="/etc/shibboleth/bindingTemplate.html"/>
                 <SessionInitiator type="Shib1" defaultACSIndex="5"/>
             </SessionInitiator>

             <SessionInitiator type="Chaining" Location="/BarIdP"  
isDefault="true" id="bar-idp"
                     relayState="cookie" entityID="https://bar.org/idp/shibboleth 
">
                 <SessionInitiator type="SAML2" acsByIndex="false"  
defaultACSIndex="1" template="/etc/shibboleth/bindingTemplate.html"/>
                 <SessionInitiator type="Shib1" defaultACSIndex="5"/>
             </SessionInitiator>

Then, just specify requireSessionWith="bar-idp" in the RequestMap, or  
ShibRequireSessionWith foo-idp in e.g. httpd.conf.

https://spaces.internet2.edu/display/SHIB2/NativeSPSessionInitiator
https://spaces.internet2.edu/display/SHIB2/NativeSPContentSettings

Take care,
Nate.

On Mar 24, 2010, at 11:10 PM, [hidden email] wrote:

> I am looking for a way use shibboleth2.xml to select the appropriate  
> IdP without using the 'flat page' solution.  I would like to be able  
> to do this through the configuration file, if possible.  I would  
> also like to avoid chaining through multiple SessionInitiators as  
> the list could be quite large.  I would also like to be able to do  
> this without a Discovery Service.
>
> As an example: map /my_server/foo to the foo idp and /my_server/bar  
> to the bar idp.
>
> Is this possible?
>
> Thanks for the help,
> DeeAnne
>

Reply | Threaded
Open this post in threaded view
|

Re: IdP Discovery

Nate Klingenstein
Or... there's a much easier answer now.  Just set entityID="https://foo.org/idp/shibboleth" in the RequestMap.


entityID (URI)
  • The name of a specific IdP to use when automatically requesting authentication because a session does not exist. Allows for resource-based selection of an IdP to use, and overrides the entityID attribute of a SessionInitiator.
Guess I should read the docs more often, and update my own configs...
Nate.
Reply | Threaded
Open this post in threaded view
|

RE: IdP Discovery

Cantor, Scott E.
In reply to this post by dhigley
> As an example: map /my_server/foo to the foo idp and /my_server/bar to the
> bar idp.
>
> Is this possible?

Yes, just apply an entityID setting using the RequestMap or with
ShibRequestSetting.

-- Scott


Reply | Threaded
Open this post in threaded view
|

RE: IdP Discovery

Cantor, Scott E.
In reply to this post by Nate Klingenstein
> Yes, that's absolutely possible.  If you want it to happen
> automatically on access of those URL's rather than through a specially
> constructed login link, I think you'll need to create separate
> SessionInitiators with two different default IdP's.

No, that's been unnecessary for a while.

> Then, just specify requireSessionWith="bar-idp" in the RequestMap, or
> ShibRequireSessionWith foo-idp in e.g. httpd.conf.

The only use case I know of for requireSessionWith is supporting multiple
discovery services, not multiple IdPs.

-- Scott