* Eivind Lie Andreassen <
ela...@gmail.com> [2016-07-12 12:47]:
> Does anyone know whether it is possible to setup SSP as an IdP, and
> bridge it to multiple AD FS servers for authentication?
Youn can set up SSP as an SP towards those 3 IDPs, and as an IDP
towards the protected resources, sure. I.e., the same SSP instance
would be configured as both an IDP and an SP.
But MS-ADFS itself functions as a proxy (acting as both a SAML IDP and
SAML SP), so maybe adding yet another MS-ADFS would be a more natural
fit in your case?
Of course *avoiding* any proxying is much preferrable, for lesser
complexity of the setup (and therefore more resilience) as well as
higher fidelity (end-to-end encryption of protocol messages, Single
Logout where SPs/applications support it, etc.).
One way to do that would be ignoring the "FS" part of each
MS-AD/domain and using only those for LDAP authentication and as
attribute sources, from a single SAML IDP (SSP or otherwise).
Whether that's possible depends on internal IDM practices
(e.g. uniqueness of identifiers across MS-AD instances) and UX choices
(e.g. what login name someone needs to enter into that one SAML IDP;
even without globally unique identifiers you could still make that
model work either with "scoped" identifiers, or by having a choice of
MS-AD/group/domain on the login page, e.g. like FEIDE has done for
years, cf.
https://foodl.org/ and pick "Feide" during login. The UI
can look quite different, of course.)
-peter