SAML IDP with multiple inbound URLs? possible? #SAML #IDM #identity #infosec


I had an interesting use case come up this morning and I am wondering if there are any “federation” products that can handle this use case.  My client would like to configure the IDP to handle different sets of users (let’s call them “internal” and “external”).  To avoid the external users from being redirected to the IDP directly it has been front-ended with a proxy (Apache HTTP) located in the DMZ.  Internal users should have access to the same same SPs … but probably don’t want the internal users getting redirected to the proxy located in the DMZ.  One of the products that I work with can only have one “server url” configured (that I know of) … do other products allow for multiple URL’s to be configured?  Would love to hear if this is actually a “problem” and if so how other vendors have implemented.  The easy solution on our part is to deploy another federation server (IDP) to handle the different users … personally I hate to keep telling the customer to deploy a new instance each time a new use case comes up.  I don’t think that scales very well.

About these ads

5 Comments

  1. Pingback: Brad Tumy – Oracle: SAML IDP with multiple inbound URLs? possible? #SAML #IDM #identity #infosec … « oracleidentitymanagement

  2. Depends how your load balancing and DNS are configured, but you should be able to use these so that the same name resolves to the proxy for external users, but direct to the hosts / load-balancer for internal users (or deploy an internal apache that resolves the same name as the external one, for the same effect)

  3. Its very easy with Tremolo Prelude. Every IdP is configured as a URL so you can just setup separate IdPs in the same Prelude instances based on different URLs and point both DNS entries to the same IP addresses. If you want it the other way, where both URLs point to the same IdP and configuration thats very easy too since each IdP can have multiple hosts associated with it.

  4. Thanks for the feedback guys. I was concerned with configuring the URL in server properties and being restricted to offering the same URI for both internal and external. I think this can be overcome by managing at the DNS level as opposed to the Server level. Thanks again, good conversation!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s