SP support for multiple IDPs

[crewjam]

The current library assumes that there will be exactly one IDP for each SP, but there may be cases where a service provider needs multiple IDPs. What is the story there? How to people like google and amazon handle that? IDP-initiated? or something else?

[alfredr]

I'm curious about this also. Any thoughts?

[saghaulor]

I'm not sure that I understand this issue. Perhaps I can shed light on it, but again, I'm unsure what the question concern is.

In my shop we currently use PingFederate (PF) as an SP server. Within PF, you can create multiple IdP connections. We use this functionality to have a single PF cluster act as SP for our various hosted customer apps. Each customer app has a single IdP connection. They can they use SP or IdP initiated workflows.

But I think you're asking, "how can a single SP/resource support multiple IdPs?"

I think the only way to do this is IdP initiated, or perhaps an SP initiated workflow would work using some sort of special naming convention at the resource to lookup IdP details. I think this is how companies like Google are doing it. From this doc, it seems to suggest they they only support one IdP per SP connection.

They go into detail about how they do SSO redirects to your IdP here
I would think subdomains would be easy enough for this, but maybe query string params would also work.

I don't know if any of that was helpful, I hope that it was.

[mikewiacek]

You can do this entirely within the middleware. crewjam/saml does all the logic, but what you're asking for is more of a function of how the middleware works.

[mkobaly]

Could you elaborate on how the middleware currently supports this as I have the same question? From looking at the code the middleware has a reference to the ServiceProvider. That ServiceProvider then has all of the info for one IdP. My thought would be to enhance the middleware to take a slice of ServiceProviders and then the middleware could determine which one to use based of the url (using sub-domains as qualifier. Ex idp1.mySaaSApp.com vs idp2.mySaaSApp.com)

[rcadena]

I'm interested in this as well. In my particular instance I'd like to be able to have what I call a list of "IdP Profiles". One endpoint, /saml/, handles all requests, as it does now. However, the IdP profile to use for the workflow would be based on the IdP Issuer URI. From the perspective of an administrator, it would look something like the instructions in this Adobe documentation for configuring SSO: https://helpx.adobe.com/in/enterprise/help/configure-sso.html

@mikewiacek , can you elaborate on how something like multiple idps be handled in the middleware?

@mkobaly maybe the IdP selection could be done via some pluggable function. In your case you'd inspect the subdomain and and return the appropriate idp EntityDescriptor. In your suggestion, you propose having multiple ServiceProviders to select from. I admit I'm new to the concepts in SAML, so, is it the case that there ought to be a 1-1 correspondence between SP and IdP or is my suggestion, above, also a allowed: 1-* with one SP to many IdPs?

[OscarVanL]

Is there an effective way for a SP to support multiple IdPs in crewjam/saml then?