Allow Multiple IdP entityIDs to be active at one time

Idea created by CBertagnolli Champion on Mar 17, 2015
    Not planned
    Score13

    Problem Description

    CA SSO (as of 12.52 SP1) does not allow multiple partnerships for a single IdP entityID to be active at a time.

     

    Problem Impact

    Unable to create multiple unique configurations for a single identity provider. This limits the options to integrate with external IdPs in order to support dynamic authentication, identity mapping, and application integrations.

     

    Currently having a single IdP 'active' means any dynamic type features requires multiple IdP entities - which may not be available with external partners that only maintain one entityID but support multiple request capabilities - or custom plug-ins etc.

     

    Request Change

    Allow multiple IdPs to be active at one time. When calling the authnrequest and other Federation services on the SPS or Web Agent Option Pack reference the configuration by NAME rather than entityID.

     

    Benefit

    Since the IdP partnerships are, to a degree, independent when working solely with them being able to call by NAME/Alias allows better flexibility without custom plug-ins or code. For example, I could have 3x configurations for a partner IdP: (1) has single-factor authncontext processing at level 1, (2) has two-factor authncontext processing at level 2, and (3) has multi-step two-factor authncontext processing at level 3.

     

    Authentication flows could then be handled dynamically very easily by simply altering the URL for different NAMS. E.g.,

     

    https://mysp.domain.com/affwebservices/public/saml2authnrequest?ProviderID=idp.domain.com-singleFactor

     

    https://mysp.domain.com/affwebservices/public/saml2authnrequest?ProviderID=idp.domain.com-twoFactor

     

    https://mysp.domain.com/affwebservices/public/saml2authnrequest?ProviderID=idp.domain.com-multiStep