By: Challa Rao Ande user 11 Jan 2017 at 4:56 a.m. CST

11 Responses
Challa Rao Ande gravatar
Hi, I've gone through Gluu Asimba docs. But seems like this is not what I'm looking for. Following are my requirements: 1. SP requests IDP at Gluu 2. Based on some criteria like domain suffix of the username@domain.com 3. This should redirect to the correct IDP 4. Redirect back. 5. Back to SP. Reference: https://spaces.internet2.edu/display/GS/SAMLIdPProxy Is this Scenario possible with Gluu? Thank you

By Mohib Zico Account Admin 11 Jan 2017 at 5:05 a.m. CST

Mohib Zico gravatar
Possible. This feature is called '[Add Selectors](https://gluu.org/docs/integrate/inbound-saml/#inbound-saml-in-gluu-server)'; however this is not supported out of the box. Custom configuration required.

By Challa Rao Ande user 11 Jan 2017 at 5:49 a.m. CST

Challa Rao Ande gravatar
Hi Mohib, But this Add Selectors feature selects IDP based on SP. In my case, I want to do it based on some criteria like the domain part of Email Id, or some custom script possibly. Is it possible? Also, are all these features available through SCIM api? to make it dynamic. Thanks for the response.

By Challa Rao Ande user 12 Jan 2017 at 1:31 a.m. CST

Challa Rao Ande gravatar
Hi, Any help?

By Mohib Zico Account Admin 12 Jan 2017 at 3:52 a.m. CST

Mohib Zico gravatar
Hello Challa, Please give us some time; we will raise this design in our internal meeting. Let's see if we can come up with something.

By Mohib Zico Account Admin 16 Jan 2017 at 6:11 a.m. CST

Mohib Zico gravatar
Hi Challa, So we have one question... >> SP requests IDP at Gluu >> Based on some criteria like domain suffix of the username@domain.com >> This should redirect to the correct IDP We are not clear how Gluu Server will decide on domain? that means, without login in Gluu Server we have no idea what's the domain is and where to put users for authentication. If you have any plan please feel free to share. 'Add Selectors' is a feature which decides where to put users for authentication. There is a mapping section there which has information like 'SP1->IDP1', 'SP2->IDP2'; so whenever some user will hit SP1, they will automatically move to IDP1 for authentication; same true for SP2+IDP2.

By Challa Rao Ande user 16 Jan 2017 at 6:45 a.m. CST

Challa Rao Ande gravatar
Hi Mohib, Edit: Sorry now I got you meant by redirecting to IDPs based on hitting SPs, I got your point. On how to decide the IDP part, Gluu should always ask the username from the user, based on the username entered it will determine the IDP based on following procedure and then redirect to the correct IDP. For example, these days Gmail is asking the username first after submitting it it would ask password. But in my case I would like to be able to either ask password in the next step or redirect to a separate IDP if one exists for the user organization. Basically, I went through this: https://spaces.internet2.edu/display/GS/SAMLIdPProxy But it seems like even shibboleth has no documentation on how to do something given in the above link. But what I kind of need is: Gluu server should call a script which returns the domain given the username. The script might contact other customer services/api to determine the right IDP not just the domain. The external api will take care of determining the IDP based on the custom criteria. Gluu server facilitates custom Jython scripts for authentication right, in the same way, it should be able to call the selector script. Thanks for taking my question into consideration. Also, in the current Gluu selector as you have explained, I would like to know how does a Single Sign On works. For example SP1 accesses Gluu and redirects to IDP1, now if SP2 accesses Gluu from the same browser would it authenticate the user as the authentication already happened through Gluu or will it again redirect to IDP2?

By Mohib Zico Account Admin 17 Jan 2017 at 12:14 a.m. CST

Mohib Zico gravatar
>> Gluu server should call a script which returns the domain given the username. The script might contact other customer services/api to determine the right IDP not just the domain. The external api will take care of determining the IDP based on the custom criteria. Ok. Theoretically it seems possible but we will know when we will move for actual coding and testing. >> Also, in the current Gluu selector as you have explained, I would like to know how does a Single Sign On works. For example SP1 accesses Gluu and redirects to IDP1, now if SP2 accesses Gluu from the same browser would it authenticate the user as the authentication already happened through Gluu or will it again redirect to IDP2? I think it should redirect to IDP2.

By Challa Rao Ande user 17 Jan 2017 at 1:42 a.m. CST

Challa Rao Ande gravatar
Thanks for your help Mohib.

By Challa Rao Ande user 01 Mar 2017 at 1:35 a.m. CST

Challa Rao Ande gravatar
Hi Mohib, Is there any update on this? Thank you.

By Mohib Zico Account Admin 01 Mar 2017 at 2:10 a.m. CST

Mohib Zico gravatar
Hi Challa, This is a custom feauture. If we get request from customer or if there is high demand from community on this issue, we will engage.

By Matt Young user 11 Oct 2018 at 4:29 p.m. CDT

Matt Young gravatar
I am getting ready to implement this as well. We have a need for third party cots products that only speak saml but we want to frontend all the upstream IDPs with gluu (this is a selector maybe?) and based ona request header or some url analysis, select the correct IDP for saml. For the record, our internal users should automatically select the local shiboleth instance within gluu as the idp