SAML IDP with multiple inbound URLs? possible? #SAML #IDM #identity #infosec


I had an interesting use case come up this morning and I am wondering if there are any “federation” products that can handle this use case.  My client would like to configure the IDP to handle different sets of users (let’s call them “internal” and “external”).  To avoid the external users from being redirected to the IDP directly it has been front-ended with a proxy (Apache HTTP) located in the DMZ.  Internal users should have access to the same same SPs … but probably don’t want the internal users getting redirected to the proxy located in the DMZ.  One of the products that I work with can only have one “server url” configured (that I know of) … do other products allow for multiple URL’s to be configured?  Would love to hear if this is actually a “problem” and if so how other vendors have implemented.  The easy solution on our part is to deploy another federation server (IDP) to handle the different users … personally I hate to keep telling the customer to deploy a new instance each time a new use case comes up.  I don’t think that scales very well.

About these ads
  1. #1 by Nick on April 30, 2012 - 5:52 pm

    Depends how your load balancing and DNS are configured, but you should be able to use these so that the same name resolves to the proxy for external users, but direct to the hosts / load-balancer for internal users (or deploy an internal apache that resolves the same name as the external one, for the same effect)

  2. #2 by Chris on April 30, 2012 - 6:17 pm

    what Nick said. It’s usually called “Split DNS” – the internal users go one place and external users go somewhere else. It’s quite common.

  3. #3 by Marc on May 1, 2012 - 7:02 am

    Its very easy with Tremolo Prelude. Every IdP is configured as a URL so you can just setup separate IdPs in the same Prelude instances based on different URLs and point both DNS entries to the same IP addresses. If you want it the other way, where both URLs point to the same IdP and configuration thats very easy too since each IdP can have multiple hosts associated with it.

  4. #4 by Brad Tumy on May 4, 2012 - 2:34 pm

    Thanks for the feedback guys. I was concerned with configuring the URL in server properties and being restricted to offering the same URI for both internal and external. I think this can be overcome by managing at the DNS level as opposed to the Server level. Thanks again, good conversation!

  1. Brad Tumy – Oracle: SAML IDP with multiple inbound URLs? possible? #SAML #IDM #identity #infosec … « oracleidentitymanagement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,087 other followers

%d bloggers like this: