I have a requirement that can be summarized as below.
I am IDP1 who is supposed to act as an IDP proxy.
1. SP sends authnreq to IDP1
2. IDP1 doesn't know of the user identities to a subset of users.
3. IDP1 displays a link to these subset of users
4. the users click on the link and this takes the users to IDP2 who has the user's identities
5. IDP2 authenticates the user and sends SAML response to IDP1
6. IDP1 reads the saml response, does a look up for one of the attributes, sticks that value as another SAML attribute and sends it to SP
7. SP reads the response and serves the content.
Questions I have.
1. Is this possible with CA Siteminder?
2. If it is, how would one implement this custom lookup?
3. Will this be set up as two partnerships? with the IDP1 acting as both the IDP (for SP) and SP (for IDP2)?
4. Is there a better or easier approach for this?
Looking forward to your suggestions!