isPassive is an attribute on an authentication request.
By default the software will only sent out one such authentication
request if configured via the webserver (or the portable
configuration), to either the default IdP or the IdP selected via
content settings.
So the only way to do this IMHO would be generate those authentication
requests yourself, programmatically (possibly with help of the session
initiator, where you would loop over all IdPs and keep sending the
user agent elsewhere).
Depending on latency and number of IdPs this probably won't go
unnoticed by the user and will most certainly not provide a good user
experience.
Also note that isPassive is of course SAML2 only, so if some of those
IdPs are still SAML1-only (I hear such things do exists) this wouldn't
work as indended.
-peter
--
To unsubscribe from this list send an email to users-un...@shibboleth.net
Everyone agrees that discovery is painful but with the new
developments
https://wiki.shibboleth.net/confluence/display/EDS10/Embedded+Discovery+Service
or http://discojuice.org/ this seems to be a lot less intrusive or
error prone that trying all possible IdPs instead of just asking.
> How might an appropriate SessionInitiator for looping over 2 or more
> IdPs look?
When sending off the user agent off to all idps you know in turn
you'll need to keep track of those yourself (e.g. in a cookie or via
request parameters). The session initiators take the usual parameters
(see content settings in the wiki), e.g. entity=<entitityid-of-the-idp>
There is none, you have to script the entire process via the lazy session
mechanism.
Some notes:
- the SP will now correctly return the client to the target resource if
you specify isPassive and it can't dispatch via a supporting initiator
(that handles the SAML 1 case)
- the SP will ignore the NoPassive error code and pass control back to the
target resource if the IdP returns that code
- any other error would terminate, so you'd have to handle errors with the
redirectErrors option
All of the features involved are poorly tested and probably buggy.
-- Scott