Search code examples
asp.netshibboleth

Can Shibboleth SP be configured to use mutliple IdPs for a single website?

I have an ASP.NET Website running on IIS 8 on Windows Server 2012. The website is a single site - e.g., www.example.com - that is used by different companies. Each company has several users on the site.

Currently, we require each user on the site to create an account on the website and that's how they authenticate.

Some companies want to have their users authenticate via Shibboleth, however. I have installed Shibboleth SP on Windows in the past, but from what I can tell it's designed so that there is a single Shibboleth IdP for the entire site. In this case, we'd need to be able to have, say, users A and B authenticate with one Shibboleth IdP while users X, Y and Z need to use a different Shibboleth IdP.

Is this configuration possible for Shibboleth SP on Windows? Are there any good examples/walkthroughs exploring this scenario in particular?

Solution

  • Shibboleth Service Provider is perfectly capable of handling users from multiple Identity Providers. A rather normal use case is that many Identity Providers and many Service Providers participate in a SAML 2.0 Identity Federation which enables the Service Providers to potentially trust and authenticate all users coming from all the participating Identity Providers.

    For your use case, you would need to

    1. Establish trust

      • Get the metadata from all the Identity Providers you would want to establish trust.
      • For each one you should set a line in your configuration file ( shibboleth2.xml ) as follows <MetadataProvider type="XML" file="idpX-metadata.xml"/>

    That would enable your Service Provider to allow for SSO with all the Identity Providers you name there.

    1. Allow users to select which Identity Provider (company) they are affiliated with. This can be rather simple if you use Shibboleth Service Provider as you can use the embedded discovery service ( see here )

    2. Properly differentiate between users coming from different companies (for authorization reasons) based on either scoped attributes in the attribute statement or the EntityID of the Identity Provider ( Issuer of the SAML Assertion )

    The Shibboleth SP wiki would have all the necessary information. Additionally you can check SP installation/configuration guides like this or this. They assume participating in an identity federation but for your use case, the only difference is that they would have a single metadata file ( the federation metadata ) where you will have a metadata file for each identity provider.