Custom redirection to multiple IDP

By: Annouar LAIFA user 14 Mar 2017 at 6:09 a.m. CDT

3 Responses
Annouar LAIFA gravatar
Hello everyone ! In order to deploy a Federation solution, I am currently testing Gluu ! I have to say that a great job was made on the tool ! The use case I need and I am currently testing is the following : I got multiple remote IdPs (got 2 now, but more later) and an Openam SP. First, is that possible to redirect a user who wants to access to restricted content to the correct IdP depends on email domain ? For example, I got two Idp from two different companies : IdPcompanyA and IdPComanyB. I want the IdpCompanyA login page to be displayed to all users who try to access to my ressource with email like xxxxxxxx@companyA.com, and the IdpCompanyB login page to be displayed to all users with email xxxxxxxx@companyB.com I really don’t know if it’s possible to do this with Gluu. That’s why I am trying to deploy a Gluu Server with Asimba (it looks like to fit to my needs). I have followed the following documentation page in order to deploy the architecture : https://gluu.org/docs/ce/2.4.4/admin-guide/saml/ Any idea on how to configure my own login page and choose my remote IDP depends on email domain ? Thanks a lot ! A. PS: I am really new with SAML and SSO concepts, sorry :(
OS Version : N/A
closed

Answers

By William Lowe user 14 Mar 2017 at 10:17 a.m. CDT

Copy
William Lowe gravatar
Hello Annouar, Was there a specific reason you chose to deploy 2.4.4 instead of the latest version 3.0.1? Since it looks like you have just started, I would recommend re-deploying the latest version of the software. And regarding your question, yes, the solution you are looking to achieve is called inbound SAML. You are looking to use email as the identifier. This too is possible. You are on the right track with Gluu Server + Asimba. Please follow these docs: [https://gluu.org/docs/ce/3.0.1/admin-guide/saml/#inbound-saml-asimba](https://gluu.org/docs/ce/3.0.1/admin-guide/saml/#inbound-saml-asimba). If you have additional questions, please open specific tickets on each question. Review our [ticket creation guide](https://support.gluu.org/docs/user-guide/how-to-ask/) to learn how to best ask Gluu support for assistance. Thanks, Will

By Annouar LAIFA user 14 Mar 2017 at 10:47 a.m. CDT

Copy
Annouar LAIFA gravatar
Hello William, First of all, thank you for your help ! Actually, I've tried to work with the last version (3.0.1), but I had some troubles with Jetty. As I am more comfortable with Tomcat, I decided to do my POC with the 2.4.4 version (and update it next). So if I understand, I need to pass the user email to Asimba. But how should I pass it ? And more important, is that possible to implement a script or something like that to let Gluu choose the correct IDP (I don't really get how to use an identifier). Thanks a lot ! Annouar.

By Aliaksandr Samuseu staff 14 Mar 2017 at 11 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Annouar. We are currently recommend setup described [here](https://gluu.org/docs/ce/latest/admin-guide/saml/#inbound-saml-asimba) to utilize Asimba in Gluu. It already makes you to use our custom script which is placed between Shibboleth and Asimba and serves as sort of adapter for both, also handling storage of attributes received from remote IdPs. In this flow user is presented with default Asimba's selector page and must choose IdP he/she needs manually there. It may be possible to modify this script and make it do an educated guess based on some parameters your SP passes to Gluu in initial request url. Not sure such things are covered by free Community Support, though, you may need to do your own research.

Post an answer