I have an app that authenticate against an idP using SAML2.
The app support only one idP.
The app is multi-tenant, and I need to forward each tenant user to their own idP.
So I need my local idP (MyIdP, that is registered in the app) to ask the user for their tenat name and based on that, forward the authentication to the appropiate idP and then return it result to the app as its result.
Something like a idP proxy (Is there a name for this functionality???)
Is it possible to do it using SimpleSAMLphp, Shibboleth, Keycloak or any other open source idP?
(App)----->(MyIdP)-----------------------------(idP-Tenant-A)
| |-----(idP-Tenant-B)
{ Ask User Tenant Name |-----(idP-Tenant-C)
and forward based on it }
Thanks
Yes, in Shibboleth this is called IdP Proxy as you guessed. Here is the docs from Shibboleth
In keycloak, you can do this using their identity brokering functionality. This can act as a proxy between different protocols like OIDC and SAML, but also from SAML to SAML. Have a look here for their documentation
On my blog I have a post showing how to use this as a proxy between OIDC and SAML. But the mechanics are the same if you want to proxy for SAML.