Possible. This feature is called '[Add Selectors](https://gluu.org/docs/integrate/inbound-saml/#inbound-saml-in-gluu-server)'; however this is not supported out of the box. Custom configuration required.

Hi Mohib, But this Add Selectors feature selects IDP based on SP. In my case, I want to do it based on some criteria like the domain part of Email Id, or some custom script possibly. Is it possible? Also, are all these features available through SCIM api? to make it dynamic. Thanks for the response.

Hi, Any help?

Hello Challa, Please give us some time; we will raise this design in our internal meeting. Let's see if we can come up with something.

Hi Challa, So we have one question... >> SP requests IDP at Gluu >> Based on some criteria like domain suffix of the username@domain.com >> This should redirect to the correct IDP We are not clear how Gluu Server will decide on domain? that means, without login in Gluu Server we have no idea what's the domain is and where to put users for authentication. If you have any plan please feel free to share. 'Add Selectors' is a feature which decides where to put users for authentication. There is a mapping section there which has information like 'SP1->IDP1', 'SP2->IDP2'; so whenever some user will hit SP1, they will automatically move to IDP1 for authentication; same true for SP2+IDP2.

Hi Mohib, Edit: Sorry now I got you meant by redirecting to IDPs based on hitting SPs, I got your point. On how to decide the IDP part, Gluu should always ask the username from the user, based on the username entered it will determine the IDP based on following procedure and then redirect to the correct IDP. For example, these days Gmail is asking the username first after submitting it it would ask password. But in my case I would like to be able to either ask password in the next step or redirect to a separate IDP if one exists for the user organization. Basically, I went through this: https://spaces.internet2.edu/display/GS/SAMLIdPProxy But it seems like even shibboleth has no documentation on how to do something given in the above link. But what I kind of need is: Gluu server should call a script which returns the domain given the username. The script might contact other customer services/api to determine the right IDP not just the domain. The external api will take care of determining the IDP based on the custom criteria. Gluu server facilitates custom Jython scripts for authentication right, in the same way, it should be able to call the selector script. Thanks for taking my question into consideration. Also, in the current Gluu selector as you have explained, I would like to know how does a Single Sign On works. For example SP1 accesses Gluu and redirects to IDP1, now if SP2 accesses Gluu from the same browser would it authenticate the user as the authentication already happened through Gluu or will it again redirect to IDP2?

>> Gluu server should call a script which returns the domain given the username. The script might contact other customer services/api to determine the right IDP not just the domain. The external api will take care of determining the IDP based on the custom criteria. Ok. Theoretically it seems possible but we will know when we will move for actual coding and testing. >> Also, in the current Gluu selector as you have explained, I would like to know how does a Single Sign On works. For example SP1 accesses Gluu and redirects to IDP1, now if SP2 accesses Gluu from the same browser would it authenticate the user as the authentication already happened through Gluu or will it again redirect to IDP2? I think it should redirect to IDP2.

Thanks for your help Mohib.

Hi Mohib, Is there any update on this? Thank you.

Hi Challa, This is a custom feauture. If we get request from customer or if there is high demand from community on this issue, we will engage.

I am getting ready to implement this as well. We have a need for third party cots products that only speak saml but we want to frontend all the upstream IDPs with gluu (this is a selector maybe?) and based ona request header or some url analysis, select the correct IDP for saml. For the record, our internal users should automatically select the local shiboleth instance within gluu as the idp