SAML2 proxy-like solution, but with Tree & Node support

This topic has 1 reply, 2 voices, and was last updated 4 weeks ago by Jatinder Singh.

  • Author
    Posts
  • #28661
     destracke
    Participant

    Hello everyone,
    we are kind of stuck trying to achieve the following concerning SAML2 Federation:

    In our infrastructure we have two SAML-IDPs, IDP1 is a AM-hosted IDP, IDP2 is an Shibboleth-IDP.

    What we would like to have:
    – Remote SPs are configured with metadata from IDP1.
    – When a user tries to login on a SP, they should be “proxied” from IDP1 to IDP2 for the login credentials.
    – If authentication at IDP2 is successful, we would like to intercept the SAML flow to implement further mechanisms like MFA before the assertion is returned to the requesting SP.

    What we have done so far:
    – We configured a remote SP with IDP Proxying enabled, pointing to IDP2-Entity-ID for all request.
    – We have added an IDP-/SP-Proxy in AM
    – IDP2 shares metadata with this SP-Proxy with proper attribute mapping

    With this configuration, login basically works as we would like. User don’t see the login window of AM (IDP1), but only of IDP2.

    But we cannot figure out a way of intercepting the flow, ideally with Trees and Nodes, to implement further mechanisms.

    Could you give as a pointer in the right direction? Is it even possible to realise such a scenario? Is the concept of IDP-Proxy right or should we try out something different?

    Thank you very much!

    Best regards
    Dennis

    #28662
     Jatinder Singh
    Participant

    It appears your SAML2 implementation utilizes Standalone mode. If that is true and looking at your target design, I suggest implementing SAML2 in Integrated mode using Trees. Please see below for more information.

    https://backstage.forgerock.com/docs/am/7.1/saml2-guide/saml2-integrated-mode.html

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?