Comments (6)
mkobaly
commented on July 27, 2024
1
Could you elaborate on how the middleware currently supports this as I have the same question? From looking at the code the middleware has a reference to the ServiceProvider. That ServiceProvider then has all of the info for one IdP. My thought would be to enhance the middleware to take a slice of ServiceProviders and then the middleware could determine which one to use based of the url (using sub-domains as qualifier. Ex idp1.mySaaSApp.com vs idp2.mySaaSApp.com)
from saml.
alfredr
commented on July 27, 2024
I'm curious about this also. Any thoughts?
from saml.
saghaulor
commented on July 27, 2024
I'm not sure that I understand this issue. Perhaps I can shed light on it, but again, I'm unsure what the question concern is.
In my shop we currently use PingFederate (PF) as an SP server. Within PF, you can create multiple IdP connections. We use this functionality to have a single PF cluster act as SP for our various hosted customer apps. Each customer app has a single IdP connection. They can they use SP or IdP initiated workflows.
But I think you're asking, "how can a single SP/resource support multiple IdPs?"
I think the only way to do this is IdP initiated, or perhaps an SP initiated workflow would work using some sort of special naming convention at the resource to lookup IdP details. I think this is how companies like Google are doing it. From this doc, it seems to suggest they they only support one IdP per SP connection.
They go into detail about how they do SSO redirects to your IdP here
I would think subdomains would be easy enough for this, but maybe query string params would also work.
I don't know if any of that was helpful, I hope that it was.
from saml.
mikewiacek
commented on July 27, 2024
You can do this entirely within the middleware. crewjam/saml does all the logic, but what you're asking for is more of a function of how the middleware works.
from saml.
rcadena
commented on July 27, 2024
I'm interested in this as well. In my particular instance I'd like to be able to have what I call a list of "IdP Profiles". One endpoint, /saml/, handles all requests, as it does now. However, the IdP profile to use for the workflow would be based on the IdP Issuer URI. From the perspective of an administrator, it would look something like the instructions in this Adobe documentation for configuring SSO: https://helpx.adobe.com/in/enterprise/help/configure-sso.html
@mikewiacek , can you elaborate on how something like multiple idps be handled in the middleware?
@mkobaly maybe the IdP selection could be done via some pluggable function. In your case you'd inspect the subdomain and and return the appropriate idp EntityDescriptor. In your suggestion, you propose having multiple ServiceProviders to select from. I admit I'm new to the concepts in SAML, so, is it the case that there ought to be a 1-1 correspondence between SP and IdP or is my suggestion, above, also a allowed: 1-* with one SP to many IdPs?
from saml.
OscarVanL
commented on July 27, 2024
Is there an effective way for a SP to support multiple IdPs in crewjam/saml then?
from saml.
Related Issues (20)
- Trouble Getting Started as a Service Provider (from README) HOT 2
- Azure SAML2.0 not surport
- [question] idp example HOT 1
- Is this project still maintained? HOT 1
- Path property in CookieSessioProvider struct is missing
- ADFS HTTP-Artifact Signature
- Upgrade to use golang-jwt v5
- Why is the default SP signing algorithm SHA1
- bug: make logout request need add signature logic if `sp.SignatureMethod` is not empty. HOT 7
- Feature: IDP metadata URL should not be mandatory
- Should I fork a repo to receive the contribution [Or a community]
- Fail to authenticate on AzureAD when creating signed MakeAuthenticationRequest
- Externalize Login form
- How to log in by clicking on my app via Okta app?
- How to support multiple idp? HOT 1
- [Update Request] Update Project EOL component github.com/beevik/etree:v1.1.0
- can't figure out how to implement IDP initiated from IDP (for writing tests)
- How to create a SAML response with Response and Assertion signature
- How to handle IdP-initiated Single Logout (SLO) in the SP ? HOT 1
- When encrypting SAML assertion only SHA1 option can be used
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from saml.