August 23, 2021 at 8:51 pm #28661destrackeParticipant
we are kind of stuck trying to achieve the following concerning SAML2 Federation:
In our infrastructure we have two SAML-IDPs, IDP1 is a AM-hosted IDP, IDP2 is an Shibboleth-IDP.
What we would like to have:
– Remote SPs are configured with metadata from IDP1.
– When a user tries to login on a SP, they should be “proxied” from IDP1 to IDP2 for the login credentials.
– If authentication at IDP2 is successful, we would like to intercept the SAML flow to implement further mechanisms like MFA before the assertion is returned to the requesting SP.
What we have done so far:
– We configured a remote SP with IDP Proxying enabled, pointing to IDP2-Entity-ID for all request.
– We have added an IDP-/SP-Proxy in AM
– IDP2 shares metadata with this SP-Proxy with proper attribute mapping
With this configuration, login basically works as we would like. User don’t see the login window of AM (IDP1), but only of IDP2.
But we cannot figure out a way of intercepting the flow, ideally with Trees and Nodes, to implement further mechanisms.
Could you give as a pointer in the right direction? Is it even possible to realise such a scenario? Is the concept of IDP-Proxy right or should we try out something different?
Thank you very much!
DennisAugust 25, 2021 at 9:25 pm #28662Jatinder SinghParticipant
It appears your SAML2 implementation utilizes
Standalonemode. If that is true and looking at your target design, I suggest implementing SAML2 in
Integratedmode using Trees. Please see below for more information.
You must be logged in to reply to this topic.