NOTICE: COMMUNITY PERFORMANCE DEGRADATION
Our community is currently experiencing some performance degradation with slow page loading. Our platform SaaS vendor is working on the issue.
Highlighted
Absent Member.
Absent Member.
304 views

One IDP, multiple federation options?


Is it possible to do this:

NAM IDP has a configured trusted third-party IDP.

But let's say you have some AG protected resources that require
Federation and others that do not.

It seems the federation is defined in the Trusted IDP configuration, not
as an auth method.

So can you have multiple trusted third-party IDP defined within NAM that
actually ARE the same "source", just configured differently and then you
have the diff. methods defined that tell it which one to use???


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=47766

0 Likes
1 Reply
Highlighted
Absent Member.
Absent Member.

Re: One IDP, multiple federation options?


kjhurni;229557 Wrote:
> Is it possible to do this:
>
> NAM IDP has a configured trusted third-party IDP.
>
> But let's say you have some AG protected resources that require
> Federation and others that do not.
>
> It seems the federation is defined in the Trusted IDP configuration, not
> as an auth method.
>
> So can you have multiple trusted third-party IDP defined within NAM that
> actually ARE the same "source", just configured differently and then you
> have the diff. methods defined that tell it which one to use???


In case others are wondering:

Okay I'm going to paraphrase the phone call I had with Neil:

No, cannot be done (more than likely) because:

When you add a trusted Provider into NAM, you get a metadata file (or
fetch it yourself) that has an entityID
The same thing happens when the Provider fetches the NAM metadata (NAM
has an entityID per IDP cluster as well)

So if you TRIED to add another Trusted PRovider in NAM, it would give
you an error when you imported the metadata file because it would have
the same entityID as your pre-existing one.

Likewise, even if you COULD get the Trusted Provider to change their
entityID, their end would probably have a bird when they tried to import
your NAM IDP SP metadata file a second time as well.


So the workarounds:

1) Setup another AG/IDP cluster (it's just VM's, right, --haha) where
one IDP federates and one does not. More work to maintain and more
VM/hardware

2) Use something like Google/Facebook for your "public" stuff (ie, we
just want to know who you are, but anyone can get in to see the stuff)
and use the "other" trusted Provider to Federate. Again, doesn't work so
hot if you are using Google/Facebook for dual-purpose (then you use #1)


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=47766

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.