By: Ben Cory user 19 Sep 2017 at 6:40 a.m. CDT

6 Responses
Ben Cory gravatar
I have the following scenario. I have the .net OIDC test app which uses Oxd client to connect to Gluu. I need the ability to potentially support an environment where the user must authenticate to an external IDP which only supports SAML. In the client I do not want to support anything other than a OIDC client (oxd client). I want to use Gluu to communicate to the external SAML IDP to gain authentication. Following : [Gluu SAML Overview](https://gluu.org/docs/ce/admin-guide/saml/) In SAML I believe this is an Inbound SAML work flow. There is an example where asimba is deployed using Gluu as the external IDP, SP is a SAML client app communicating via Shibboleth IDP. I am starting to follow this guide with the following : External IDP is a publically exposed ADFS in Azure. I have a gluu server with all components deployed including asimba. The client is connecting to Gluu via the oxd client. My question is this a supported setup ? Is there any further documentation that may help me ? Any clarification and pointers would be greatly appreciated.

By William Lowe user 19 Sep 2017 at 8:18 a.m. CDT

William Lowe gravatar
Ben, Asimba is pretty complicated, and we are actively trying to validate an inbound SAML strategy using the passport.js component so that we can pull Asimba out of the stack. But generally, you are on the right path.. You will need to configure your Gluu Server to support inbound SAML with the external IDP. The flow should be something like: `web app -> gluu server -> external IDP -> web app` Currently the inbound SAML docs you find are all we have. I will chat with the support team to see if we have any additional info about this setup. However, this is an advanced use case, and outside the scope of community support. Thanks, Will

By Ben Cory user 19 Sep 2017 at 8:26 a.m. CDT

Ben Cory gravatar
Thanks Will, I thought could we leave asimba out of this if we have one external IDP but from your response this is future Gluu. I got the impression its quite complex compared to OIDC so Confirmation I am on the right track is appreciated. any additional info would be great but I will continue with this. Regards, Ben

By William Lowe user 19 Sep 2017 at 8:38 a.m. CDT

William Lowe gravatar
Yea, customers are currently doing this with Asimba. You only have one external IDP (total)? i.e. no additional IDPs will be added down the line? Thanks, Will

By Ben Cory user 19 Sep 2017 at 8:41 a.m. CDT

Ben Cory gravatar
Hi Will, The possibility is a customer may have more than one but as an edge case. The most likely scenario is a customer may already have a SAML IDP which we must integrate with. Regards, Ben

By William Lowe user 19 Sep 2017 at 9:17 a.m. CDT

William Lowe gravatar
I see. So you will want a streamlined and repeatable process for onboarding new customer SAML IDPs. This is definitely an area where paid support will help. The architecture of the setup is important, and we have quite a bit of experience helping organizations deliver this infrastructure.

By Ben Cory user 19 Sep 2017 at 9:27 a.m. CDT

Ben Cory gravatar
Thanks Will, That is correct. The work I am currently doing is a POC just to see how this setup could be deployed. I will continue with: OIDC -> Gluu (with Asimba) -> External IDP Regards, Ben