Menu
▾
▴
Re: [Unity-idm-discuss] Using multiple SAML federations with IdP overlap
|
From: Krzysztof B. <kb...@un...> - 2019-11-12 09:15:21
|
Hi Sander, W dniu 11.11.2019 o 14:48, Sander Apweiler pisze: > Hi Krzysztof, > > the DFN AAI offers different trust levels for the IdP federation based > on the identity vetting. Every IdP is in the basic one but not all are > in the advanced one (higher identity vetting). If we want to support > both federations, unity will find IdPs two times. One in basic and one > in advanced. > > We want to store some Assurance information to the users, based on the > federation. Because the users of an IdP from DFN advanced have a high > identity vetting instead of basic AAI. I assume we would need two > different input translation profiles for it. Please correct me if I am > wrong. > > So I have two different questions. > 1. Can unity deal with the fact that IdPs are listed two times and > using different translation profiles? > 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are > always uses the path trough advanced and never trough the basic AAI? If I understood this correctly those are basically two federations (two XMLs with metadata) Basic and Advanced, in Advanced I'll find all IdPs from Basic (same SAML entityIds), right? If so how do you envision a choice which one is going to be used for authentication of a user who happens to be in IdP which is member of both? There should be a choice (so user can select) or simply always use the advanced one? Best, Krzysztof |
