I'm deploying a shibboleth v4 idp for SSO to protected network resources with Shibboleth SPs (Service Providers). I want to define simple rules like that:
- SP group one: SP-A and SP-B must be in the same SSO context (no re-authenticaton requeired between resources of SP-A and resources of SP-B)
- SP group two: SP-C and SP-D must be in the same SSO context (no re-authenticaton requeired between SP-C and SP-D)
- re-authenticaton required between SP from differents groups.
I'm working on relying-party.xml, writing something like this:
<!-- Example matching two SPs (group one) -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'SP-A', 'SP-B'}}">
<property name="profileConfigurations">
<list>
<!-- Your refs or beans here. -->
<bean parent="SAML2.SSO">
..I suppose I need to define something here, but what?
</bean>
</list>
</property>
</bean>
<!-- Example matching two SPs (group two) -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'SP-C', 'SP-D'}}">
<property name="profileConfigurations">
<list>
<!-- Your refs or beans here. -->
<bean parent="SAML2.SSO">
..I suppose I need to define something here, but what?
</bean>
</list>
</property>
</bean>
This road is correct? With respect to this example what rule should I write?
