Does a SAML 2.0-implementation generally work for multiple platforms?

0
votes

A customer is currently trying to decide if they want a SAML 2.0-based SSO implementation for their application. However, their users have many different identity providers. I have build some SAML-implementations, but they were all for one identity provider only and I don't have any hands-on experience with one application using many different identity providers.

Question: can you generally build one configurable SAML-client for multiple identity providers or do you have to build multiple distinct clients in order to service them all?

1
single-sign-onsaml-2.0
Yes, generally you can build one configurable SAML-client for multiple identity providers. What language do you use for your client?xxxmatko
The application is being developed using Mendix (model driven development platform using a Java backend, custom Java code is possible), so that adds another layer of complexity I just don't know enough about.Richard Willems

1 Answers

0
votes

A single Service Provider (SP) can use as many Identity Providers (IdP) as it wants. The only thing the SP needs to know is which IdP to use for a particular user. It does that in one of two ways. Either it displays a list of IdPs it knows about and the user selects one, or the user arrives at the SP on a 'WAYF-less' URL. WAYF means Where Are You From but is largely superceded by the SAML discovery process. Providing the entityID of the IdP to the SP bypasses the WAYF, hence WAYF-less URL.

e.g. you could have a URL scheme along the lines of:

https://yourapp.com/login?idp=https://someidp.com/shibboleth

https://someidp.com/shibboleth is the entityID of the IdP. Your SP looks up that entityID in its metadata store to find the SSO URL of the IdP and sends the user to their correct IdP for login.

Once your SP redirects the user to their IdP, SAML flow is normal after that. So the only thing the SP needs to do is work out where that SSO URL is. All the IdPs will return the same SAMLResponse format but with their own attributes etc of course.