Summary
- Can ADFS present one IDP to a SAML Service Provider (SP), but authenticate against multiple AD servers on the back end?
Context
Here's the usecase:
- Company Foo has bought company Bar
- They plan to fully integrate/combine their infrastructure, but "haven't got there yet"
- as such the companies still run separate AD servers i.e. one for Foo company the other for Bar
- Company Foo wants to use software/service vendor XYZ
- XYZ integrates integrates using SAML , but with only one IdP per organization
- Company Foo wants their "Bar" users to appear in the same organization within software XYZ (i.e. even though some have @foo.com email addresses and others have @bar.com email addresses)
More Detailed Questions
- Can an AD admin setup a single IDP endpoint against which SP XYZ can authenticate for both Foo and Bar users (i.e. foo users authenticate against Foo AD server, Bar users authenticate against Bar AD server)
i.e. so that the Idp authentication endpoint can route to the correct back end server , then provide the correct claims (user attribute) to the SP
