Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] Multiple IdP's in InCommon

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] Multiple IdP's in InCommon

Chronological Thread 
  • From: Nick Roy <>
  • To: "" <>
  • Subject: Re: [Metadata-Support] Multiple IdP's in InCommon
  • Date: Fri, 26 Jan 2018 19:19:12 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:jRgTtRV8z0qyJwAxprj9RsBMwInV8LGtZVwlr6E/grcLSJyIuqrYbBCEt8tkgFKBZ4jH8fUM07OQ7/i5HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9vIBmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KptVRTmijoINyQh/W/XlMJ+kb5brhyiqRxxwo7bfI6bO/Vlc6PBZNMWWXZNUtpNWyBcBI63cosBD/AGPeZdt4Tzv1oOoge9BQKxGO3vzT9JjWLx0K08yeQhFgHH0RchH9IIrHTbss/1NKEMXuCp0qXE1yvMYO5L2Trk7oXDbxMvoemUUL5tbcbcxlMjGgzHg1mKpoHpIimZ2+ARv2SD7edtW/ijh3Mopg1rvzSj28chhpPUio8X11zJ8zhyzpwvKt2iUkF7ZMapEJtOuCGeMIt7WtssTn1vtiomxLAKoJC1ci8ExZg+wB7QcOKIf5KP4hL+SOaeOjB4hG9jeL2inRqy6VKgyurgVsaqzFlKsitFkt7KtnwX0BzT99SHSv96/kem2jaDzRzc6uZBIUwslKrbLYAuwqIom5YOrUjOETX6lUr0gaOMeUgo5/Kk5uD7brn+o5+TLY50igXwMqQ0ncy/BPw1Mg4UX2ic+eWxz7zj/UvlQLpUlP02lLfWsIzEKcgBuKG2HhJV3p456xmjFzemzMgYnX4fIVJEfhKIk4/pO1TLIPD/C/ezmVOskC1kx/zfO73uHInNIWLen7j7YbZy8VdQyBEuzdBH/5JUDasBIO7oV0/1tdzYFQM5Mxeqz+r9CdV90J8eVnyVAq+fLqzSrUGE6vgxLOaReY9G8Ar6frIg6uLngXYlkBoGYLGx2oELQHG+FfNjJkKfJ332jZ1JRWIHogMyRfDjzUafSSZUfWqaXqQ34TQ+D4TgCp3MENODmruEiQG6FZ4eXGdXQgSKC3D5X4SCR/oWbi+OeIlsniFSBuvpcJMoyRz77Fyy8LFgNOeBoiA=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hi Roy,

InCommon tries to ensure that each institution lists only one IdP in
metadata, since having more than one IdP can cause very large change
management and loss of access problems for your users, among other
problems. If you want to migrate from one IdP to the other and retire
one of the two IdPs long term, please let me know and we can discuss
options. If you truly want to have two IdPs, one for one purpose and
the other for another purpose (say, Shibboleth for SAML federation in
InCommon, since Shibboleth actually works for that purpose, and ADFS
does not) and keep ADFS for your bilateral stuff, that would be an
option. In that case, you could consider having ADFS front Shibboleth
using a RemoteUser login handler, so that you get perceived Single
Sign-On for your users. Or you could try to front ADFS authentication
with Shib, but then you'd probably lose SPNEGO / Windows Integrated
Authentication (if that is what you're using) unless you modify your
Shib deployment.

If you do decide you need two IdPs in metadata, there is a charge for
that. Please email

to request an additional IdP.
Again, I'd strongly recommend you not do this.

Best Regards,

Nick Roy
Director of Technology and Strategy, InCommon

On 1/26/18 12:00 PM, Roy Hatcher wrote:
> Greetings,
> I'm writing because our institution, University of Arkansas, has begun
> using AzureAD SSO for single sign-on purposes. However, we have also
> been running Shibboleth IDP for years, and want to continue to use it,
> as well, in the near term.
> We're currently trying to work with a new Service Provider that requires
> our Metadata be loaded into a federation aggregate, however, we would
> like to configure this SP to work with AzureAD rather than Shibboleth.
> Logging into Federation Manager, there doesn't appear to be a way to
> allow two different sets of IDP metadata.
> Is there a method for allowing both our IDP's metadata to be loaded into
> the InCommon aggregates?
> Thank you,
> Roy
> --
> Roy Hatcher
> Security Analyst
> University of Arkansas

Archive powered by MHonArc 2.6.19.

Top of Page