Automatically detect preferable IdP for user account by domain or mask
92 views
Skip to first unread message
Damir Gainulin
Jul 5, 2016, 8:42:05 AM7/5/16
to SimpleSAMLphp
Hi everyone,
I have installation of simplesaml with one SP and a few IdPs, and wonder if there's any chance to set preferable IdP for users automatically, according to domain or account mask (i.e. some kind of regular expression) instead of make users do choice at first logon? I've tried to find answer in documentation but not succeeded. I'll be really appreciated if you at least point me at correct man page :)
Thanks in advance!
I have installation of simplesaml with one SP and a few IdPs, and wonder if there's any chance to set preferable IdP for users automatically, according to domain or account mask (i.e. some kind of regular expression) instead of make users do choice at first logon? I've tried to find answer in documentation but not succeeded. I'll be really appreciated if you at least point me at correct man page :)
Thanks in advance!
Jaime Perez Crespo
Jul 5, 2016, 8:49:47 AM7/5/16
to simple...@googlegroups.com
Hi,
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
On 05 Jul 2016, at 14:42 PM, Damir Gainulin <damir.k....@gmail.com> wrote:
> Hi everyone,
>
> I have installation of simplesaml with one SP and a few IdPs, and wonder if there's any chance to set preferable IdP for users automatically, according to domain or account mask (i.e. some kind of regular expression) instead of make users do choice at first logon? I've tried to find answer in documentation but not succeeded. I'll be really appreciated if you at least point me at correct man page :)
What do you mean by “according to domain or account mask”? Do you want the users to type in their email addresses and passwords, and use that to automatically select the IdP and forward the credentials? If that’s the case, SimpleSAMLphp does not allow that, basically because it’s a very bad idea. A service provider should NEVER get the credentials of the user. In that case, the only way an SP could get such domain or account mask would be to ask for it explicitly, which is a terrible user experience (since users will need to write their email twice, instead of just picking an IdP from a list).
> Hi everyone,
>
> I have installation of simplesaml with one SP and a few IdPs, and wonder if there's any chance to set preferable IdP for users automatically, according to domain or account mask (i.e. some kind of regular expression) instead of make users do choice at first logon? I've tried to find answer in documentation but not succeeded. I'll be really appreciated if you at least point me at correct man page :)
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Damir Gainulin
Jul 5, 2016, 10:06:41 AM7/5/16
to SimpleSAMLphp
Hi Jaime,
Yes, that exactly what i meant - using some parts of user login to identify the IdP. Thank you very much for your response, the thing is now clear for me!
Thanks in advance!
Yes, that exactly what i meant - using some parts of user login to identify the IdP. Thank you very much for your response, the thing is now clear for me!
Thanks in advance!
Peter Schober
Jul 5, 2016, 11:19:41 AM7/5/16
to SimpleSAMLphp
* Damir Gainulin <damir.k....@gmail.com> [2016-07-05 14:42]:
able to remember previous choices, so selecting an IDP should be as
easy as clicking "OK" (or hitting return) once.
Some IDP discovery services also have a feature to allow the subject
to set a long-lived HTTP Cookie that tells the IDP discovery service
what IDP they selected, and to NOT ask them anymore in the future.
E.g. the SWITCHwayf can do that
https://www.switch.ch/aai/support/tools/wayf/
But sending the subject to an IDP automatically, i.e., based on some
automatism or algorithm, with no interaction/choice, is not generally
recommended. E.g. I could be a guest at, say, an Norwegian institution
but when accessing a service I'd still want/need to use my credentials
from an Austrian institution. Obviously the specifics will vary
depending on your deployment.
A standardised way to try to guess what IDP a subject is likely to
want to use is recording IP ranges, DNS domain names and/or
geo-location coordinates in SAML Metadata for each IDP.
Cf. https://wiki.oasis-open.org/security/SAML2MetadataUI
An IDP discovery service could then *suggest* or pre-select an IDP
based on the client's IP address, an associated domain name (via PTR
lookup from the connecting IP address) or the browser's HTML5
geolocation (if allowed by the browser).
For just "a few IDPs" that's probably overkill, unless the software
you're using already supports that. Then it makes sense to just
provide the addition al data in SAML Metadata and have the IDP
discovery service suggest/pre-select what maybe is the desired IDP.
-peter
> I have installation of simplesaml with one SP and a few IdPs, and wonder if
> there's any chance to set preferable IdP for users automatically, according
> to domain or account mask (i.e. some kind of regular expression) instead of
> make users do choice at first logon?
In addition to what Jaime said: The IDP discovery interface should be
> there's any chance to set preferable IdP for users automatically, according
> to domain or account mask (i.e. some kind of regular expression) instead of
> make users do choice at first logon?
able to remember previous choices, so selecting an IDP should be as
easy as clicking "OK" (or hitting return) once.
Some IDP discovery services also have a feature to allow the subject
to set a long-lived HTTP Cookie that tells the IDP discovery service
what IDP they selected, and to NOT ask them anymore in the future.
E.g. the SWITCHwayf can do that
https://www.switch.ch/aai/support/tools/wayf/
But sending the subject to an IDP automatically, i.e., based on some
automatism or algorithm, with no interaction/choice, is not generally
recommended. E.g. I could be a guest at, say, an Norwegian institution
but when accessing a service I'd still want/need to use my credentials
from an Austrian institution. Obviously the specifics will vary
depending on your deployment.
A standardised way to try to guess what IDP a subject is likely to
want to use is recording IP ranges, DNS domain names and/or
geo-location coordinates in SAML Metadata for each IDP.
Cf. https://wiki.oasis-open.org/security/SAML2MetadataUI
An IDP discovery service could then *suggest* or pre-select an IDP
based on the client's IP address, an associated domain name (via PTR
lookup from the connecting IP address) or the browser's HTML5
geolocation (if allowed by the browser).
For just "a few IDPs" that's probably overkill, unless the software
you're using already supports that. Then it makes sense to just
provide the addition al data in SAML Metadata and have the IDP
discovery service suggest/pre-select what maybe is the desired IDP.
-peter
Reply all
Reply to author
Forward
0 new messages