> Il giorno 22 nov 2016, alle ore 15:46, Qian, Yi <
yq...@ku.edu> ha scritto:
>
> Hello,
>
> Our institution has multiple Shibboleth IdPs, we are having a vendor SP can only set up to authenticate against one IdP. We can either congregate all the identities to a new IdP, which is very much impossible from political stand point.
>
Hello I think that you should first set up Simplesaml to act as a SP which is able to authenticate against your shibboleth idps.
See
https://simplesamlphp.org/docs/stable/simplesamlphp-sp
In particular you will add all shibboleth idps to metadata/saml20-idp-remote.php
and you will exchange your metadata with all shibboleths.
You will likely configure a discovery service which knows about those IDPs.
Next you will configure your simplesaml as an IDP that will act as a bridge:
https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures#section_2
In saml2-idp-hosted.php you will refer to the previously configured SP
'auth' => 'default-sp’,
Finally the vendor SP will only know about your simplesaml IDP.
Dealing with attributes from all the IDPs is left as an exercise to the reader …
It’s not so straightforward but I think these steps should give you a working setup.
Best regards,
Enrico.
--
Enrico Cavalli -
enrico....@gmail.com
jabber:
enrico....@gmail.com skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94 8ADE BC4B 43A7 0485 30E5