Hi, Qaiser. >I was wondering what is the process of preselecting an external Openid Conenct provider when the incoming request is Saml. We are not looking to provide user the option to choose the external provider in gluu. Not that easy question, indeed. There is no inbuilt solution for it at the moment. >We have managed to achieve the pre-selection of external IDP when the connecting application is using using OpenId connect but not sure how to do it when application is using Saml. Correct, OIDC app have better conrol as they can "talk" to oxAuth directly. While SAML request first must pass through Shibboleth IDP component which is 3rd-party app integrated into Gluu Server (i.e. we use it "as it is", only changing a few files we need to integrated it seamlessly), and no parameters you'll add to it will make it to oxAuth. It turns out we don't have a solution for this yet. Feel free to submit a feature proposal for it [at Github](https://github.com/GluuFederation/oxShibboleth/issues), but we can't provide any ETA in this case.

I see one possible solution, though. If you can establish a static mappings like "SP1_entityid -> external_IDP1, SP2_entityid -> external_IDP2, SP3_entityid -> external_IDP3, etc", then you could modify the `passport_saml` script, making it to retrieve entityid of the SP, check it against the mapping table, and use the external IDP assigned to it. Gluu's IDP component passes entityid of calling SP in "entityId" custom parameter to oxAuth. It can be retrieved from inside a custom script with something like this: ``` identity = CdiUtil.bean(Identity) sessionId = identity.getSessionId() ... sessionAttributes = identity.getSessionId().getSessionAttributes() entityId = sessionAttributes.get("entityId") ... ``` Community Support doesn't cover scripting questions, though, so we won't be able to assist you with this further than that.

Thank you for your responses Aliaksandr. I got that working but it doesn't solve our problem though. We want the connecting application to pass the external IDP. Need to find a way for shibboleth to pass "authz_req_param_provider" parameter to gluu.

> Need to find a way for shibboleth to pass "authz_req_param_provider" parameter to gluu. It turns out we don't have a solution for this problem at the moment. Static mapping as suggested above is the only way to achieve a semblance of automatic selection of external IDP in this use case. Feel free to submit enhancement proposal at Github, but keep in mind we can't provide ETA for such requests under Community Support.