Menu
▾
▴
Re: [Unity-idm-discuss] Using multiple SAML federations with IdP overlap
|
From: Sander A. <sa....@fz...> - 2019-11-29 09:57:31
|
Hi Krzysztof, I had a deeper look into the metadata file of the basic federation. There is an attribute which indicates if an IdP is only basic or advanced: <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>advanced</saml:AttributeValue> Do you know a way to use this information later in unity? Cheers, Sander On Mon, 2019-11-18 at 09:06 +0100, Sander Apweiler wrote: > Hi Krzysztof, > > I guessed that it is not possible. Thank you very much for your > investigation to this. > > Best regards, > Sander > > On Mon, 2019-11-18 at 09:03 +0100, Krzysztof Benedyczak wrote: > > Hi Sander, > > > > W dniu 12.11.2019 o 11:51, Sander Apweiler pisze: > > > > If I understood this correctly those are basically two > > > > federations > > > > (two > > > > XMLs with metadata) Basic and Advanced, in Advanced I'll find > > > > all > > > > IdPs > > > > from Basic (same SAML entityIds), right? > > > > > > > > If so how do you envision a choice which one is going to be > > > > used > > > > for > > > > authentication of a user who happens to be in IdP which is > > > > member > > > > of > > > > both? There should be a choice (so user can select) or simply > > > > always > > > > use > > > > the advanced one? > > > > > > If the IdP is part of the advanced class, it should be always > > > used > > > the > > > advanced. There should be no user selection, because user will > > > always > > > end at the same IdP. > > > > I had to verify what the answer is. > > > > So unfortunately this won't work in reliable way: there is no way > > currently in Unity to specify which SAML metadata is overriding > > another > > one. Actually the picture is quite complex as also in Unity you > > can > > define manually (not via metadata) your trusted IdPs. Those guys > > are > > guaranteed to take precedence over all metadata based, but entries > > are > > actually merged. I.e. if metadata brings more details about IdP it > > will > > be added to the manually defined one, but no setting will be > > changed. > > However wrt to the order of metadata provided IdPs there are no > > ways > > to > > control it - the first one will win, but is rather random which > > one > > becomes the first. > > > > Best, > > Krzysztof > > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
