1

When URL path is /client1 the user should be directed to IdP of this client. When URL path is /client2 the user should be directed to IdP of that client etc.

How do I configure this with Shibboleth SP?

I've been reading for example this:

https://wiki.shibboleth.net/confluence/display/SHIB2/DiscoveryService

However, an SP will usually be able to handle users authenticated by multiple IdPs and at that point it has no option but to ask the user to select an IdP

I do not want to ask the user. I want Shibboleth SP to automatically redirect the user to correct IdP based on URL path. How do I do this?

Panu Haaramo
  • 343
  • 7
  • 20

1 Answers1

2

What you are after is "where are you from less" URLS or WAYFLESS - this bypasses the discovery phase at the service provider, there are some built in features such as domain hint and geo ip that will bring the identity provider to the top of the list for the visiting clients based on what's in those parameters - but better off if you are an SP in a federation is to provide your IDP with custom WAYFLESS urls.

http://www.ukfederation.org.uk/content/Documents/WAYFlessServices

or you could implement unsolicited SSO, the majority of Shibboleth 2 IDPs have an unsolicited profile

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO

both of these options start the login process at the IDP and preload the SP metadata.

Sum1sAdmin
  • 1,934
  • 1
  • 12
  • 20
  • If I understood correctly these are not configured in Shibboleth SP and the user must access the IdP to initiate the login. In my case the IdP can be anything, not always Shibboleth. I can only configure our end, Shibboleth SP. Can it be configured to initiate login to correct IdP? – Panu Haaramo Apr 08 '16 at 16:27
  • Many SP's don't support the discovery phase of SSO and the solutions are to use wayfless urls or unsolicted SSO, unsolicted is an IDP initiated sign in request such as: https://idp.example.org/idp/profile/SAML2/Unsolicited/SSO?providerId=https://sp.example.org/shibboleth – Sum1sAdmin Apr 08 '16 at 16:32
  • there is no way of telling when a visitor lands on your page what their home institution is, here is an example of unsolicited I configured for AWS https://idp.ncirl.ie/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices – Sum1sAdmin Apr 08 '16 at 16:37
  • I really thought I could just map a path like /client1 to an IdP. That's an easy way to tell it. If user from other organization would access this path she just couldn't log in which is perfectly OK. – Panu Haaramo Apr 08 '16 at 16:42
  • but you would still need to build a url for each idp - that's wayfless :-) – Sum1sAdmin Apr 08 '16 at 16:48