Re: [Unity-idm-discuss] Using multiple SAML federations with IdP overlap

[Marcus H. <ha...@ki...>]

On 11/12/19 10:15, Krzysztof Benedyczak wrote:
> Hi Sander,
> 
> W dniu 11.11.2019 o 14:48, Sander Apweiler pisze:
> > Hi Krzysztof,
> > 
> > the DFN AAI offers different trust levels for the IdP federation based
> > on the identity vetting. Every IdP is in the basic one but not all are
> > in the advanced one (higher identity vetting). If we want to support
> > both federations, unity will find IdPs two times. One in basic and one
> > in advanced.
> > 
> > We want to store some Assurance information to the users, based on the
> > federation. Because the users of an IdP from DFN advanced have a high
> > identity vetting instead of basic AAI. I assume we would need two
> > different input translation profiles for it. Please correct me if I am
> > wrong.
> > 
> > So I have two different questions.
> > 1. Can unity deal with the fact that IdPs are listed two times and
> > using different translation profiles?
> > 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are
> > always uses the path trough advanced and never trough the basic AAI?
> 
> If I understood this correctly those are basically two federations (two XMLs
> with metadata) Basic and Advanced, in Advanced I'll find all IdPs from Basic
> (same SAML entityIds), right?
Otherway round: All the advanced IdPs are also in Basic.
 
> If so how do you envision a choice which one is going to be used for
> authentication of a user who happens to be in IdP which is member of both?
> There should be a choice (so user can select) or simply always use the
> advanced one?
It's the same entity ID. I.e. our IdP qualifies for Advanced. Therefore it
is in Advanced.  But therefore the same entity is also in Basic.

-- 
Marcus.