0

I have installed shibboleth 3.0.2 version. I am hosting a single page application, which needs to be protected through ADFS login. There are two ADFS for different set of users.

I have few queries as how to achieve this.

  1. How can i configure two IDPs in shibboleth2.xml file. element is allowed only once. I have provided two tags with different metadata file but when I click the link https://devserver.testhost.com/Shibboleth.sso/DiscoFeed, it shows me two "entityID" elements with same IDP provided in .

  2. How does system work with two IDPs. What should be the process to identify when to call which IDP. Like with single IDP, I can do something like below in my Apache configuration. Whenever the context path is hit, apache will redirect the call to shibboleth, and shibboleth to IDP. 

<Location /my-first>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

But I am bit confused, as when there are more than one IDP, how to decide which one gets called.

Can you help me with the above queries.

Thanks

Ron Harris
  • 23
  • 6

1 Answers1

0

You need to run the Shibboleth Embedded Discovery Service (EDS)[1] in conjunction with your Service Provider installation, so that when a user requests a protected resource, i.e. /secure, they are kicked over to the discovery service which prompts them to select the Identity Provider they would like to authenticate against.

The /Shibboleth.sso/DiscoFeed url is used in configuring the EDS, so that it knows the details of which Identity Providers are configured for the service provider, and what information it should include in the drop-down.

The EDS is little more than some Javascript to parse the JSON and create the appropriate URLs for the users to select with the drop-down, but it's exactly what you are needing here.

[1] https://wiki.shibboleth.net/confluence/display/EDS10/Embedded+Discovery+Service

Kellen Murphy
  • 620
  • 6
  • 13