Menu
▾
▴
Re: [Unity-idm-discuss] Using multiple SAML federations with IdP overlap
|
From: Sander A. <sa....@fz...> - 2019-11-18 08:08:09
|
Hi Krzysztof, I guessed that it is not possible. Thank you very much for your investigation to this. Best regards, Sander On Mon, 2019-11-18 at 09:03 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 12.11.2019 o 11:51, Sander Apweiler pisze: > > > If I understood this correctly those are basically two > > > federations > > > (two > > > XMLs with metadata) Basic and Advanced, in Advanced I'll find all > > > IdPs > > > from Basic (same SAML entityIds), right? > > > > > > If so how do you envision a choice which one is going to be used > > > for > > > authentication of a user who happens to be in IdP which is member > > > of > > > both? There should be a choice (so user can select) or simply > > > always > > > use > > > the advanced one? > > > > If the IdP is part of the advanced class, it should be always used > > the > > advanced. There should be no user selection, because user will > > always > > end at the same IdP. > > I had to verify what the answer is. > > So unfortunately this won't work in reliable way: there is no way > currently in Unity to specify which SAML metadata is overriding > another > one. Actually the picture is quite complex as also in Unity you can > define manually (not via metadata) your trusted IdPs. Those guys are > guaranteed to take precedence over all metadata based, but entries > are > actually merged. I.e. if metadata brings more details about IdP it > will > be added to the manually defined one, but no setting will be > changed. > However wrt to the order of metadata provided IdPs there are no ways > to > control it - the first one will win, but is rather random which one > becomes the first. > > Best, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
