Menu
▾
▴
Re: [Unity-idm-discuss] Using multiple SAML federations with IdP overlap
|
From: Krzysztof B. <kb...@un...> - 2019-11-18 08:03:54
|
Hi Sander, W dniu 12.11.2019 o 11:51, Sander Apweiler pisze: >> If I understood this correctly those are basically two federations >> (two >> XMLs with metadata) Basic and Advanced, in Advanced I'll find all >> IdPs >> from Basic (same SAML entityIds), right? >> >> If so how do you envision a choice which one is going to be used for >> authentication of a user who happens to be in IdP which is member of >> both? There should be a choice (so user can select) or simply always >> use >> the advanced one? > If the IdP is part of the advanced class, it should be always used the > advanced. There should be no user selection, because user will always > end at the same IdP. I had to verify what the answer is. So unfortunately this won't work in reliable way: there is no way currently in Unity to specify which SAML metadata is overriding another one. Actually the picture is quite complex as also in Unity you can define manually (not via metadata) your trusted IdPs. Those guys are guaranteed to take precedence over all metadata based, but entries are actually merged. I.e. if metadata brings more details about IdP it will be added to the manually defined one, but no setting will be changed. However wrt to the order of metadata provided IdPs there are no ways to control it - the first one will win, but is rather random which one becomes the first. Best, Krzysztof |
