Symantec Access Management

Hi,

We have a requirement where we need to setup SAML2.0 based federation with a Service Provider (SP). Further depending on whether user is hitting the federated URL (SP-initiated) from corporate network (intranet) or public network (internet), we are required to send selected attribute in SAML Assertion to the SP i.e. only selected attribute when user is coming from internet (as compared to whole list when he is coming from intranet)

Now we do have 2 instances of SPS (external facing and internet facing) which will handle the flow for the external requests and the internet requests respectively. So in theory we can actually have 2 set of policies - realm, rule, response etc for them. However, when we create an Affiliate domain (and Service provider object within), we have no way creating 2 sets of affiliate objects (to allow us create 2 sets of assertions) for the same SP (entity id). Is that correct? or is there any way we can achieve it?

Thanks in advance,

Sanjay

Hello Sanjay,

Yes ,it is corrent that you can't have 2 SAML service provider with the same SPID . If you want to send seperate attributes depending upon extranet/intranet then you can have 2 SAML service provider with configurations for extranet/intranet in a single affiliate domain . But if you want to send same attricutes for extranet/intranet then you can use a single SAML service provider with relay state parameter ,where you can set relay state for either extranet or Intranet.

Hope this helps !

Thanks