Skip to Content.
Sympa Menu

metadata-support - Re: [Metadata-Support] Multiple IdP's in InCommon

Subject: InCommon metadata support

List archive

Re: [Metadata-Support] Multiple IdP's in InCommon


Chronological Thread 
  • From: Patrick Radtke <>
  • To:
  • Subject: Re: [Metadata-Support] Multiple IdP's in InCommon
  • Date: Fri, 26 Jan 2018 11:40:46 -0800
  • Ironport-phdr: 9a23:w87cvxKBrMjkAQl+PtmcpTZWNBhigK39O0sv0rFitYgfKvnxwZ3uMQTl6Ol3ixeRBMOHs6sC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffxhEiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgfliCYFOD438G/ZhM9+gr9Frh29vBFw2ZLYbZuPOfZiYq/Qf9UXTndBUMZLUCxBB5uxYZEVAOodJ+ZYrpXyp1gTphWiHwajGf/vyjxWiXTr2qA6y/4uER3c3AwhA90Os2/Zo8n0NKcIS+C10bLIzTTeYPxI3zf99InIcgwhoP2WQb1wds/RxFApGgjYgFuQronlMCmU1uQLq2Wa4etgVeSyhG4gpQBxuSKjxsEyhYnVgI8e11PK9T1hzYorJNC0VEx2bNuqEJZTrC6WK457T8w+T210pik3z6EJtYK7cSUPzZkr2QDTZOKff4WK7B/vTvidLSl2iX5/fL+zmQy+/VW+xuD4UMS/zUxEoTBfktbWs3AAzxzT5daDSvt65kqh3CyA1wHX6u1dOUA0mrbXJ4cuw7IuiJYcr17PHiDxmEXxg6+Wclsr9vK05OTgZ7Xqvp6cN4lqhQHiKqkihM2yDfg6PwULUWiW+v+z2KHm8ED2XLlGkuM5n6zFv5zGJckWo6u0DxFL3ok98xq/Ci2p0NUcnXkJNlJFfxeHgpDxO17UPPD4F/a/jEivkDpw2//GP6fhAo/QLnjYkbfuYKhy60hAyAoy0dBe54hYBa0GIPL2QkPxrsDXDgclMwyoxObqENR91oUCVmKIB6+ZNaTSsVmS6uIoOemMa5YZuDPjJPg5/fHhkGU2mUMHcqWwxpsXdWi4HuxhI0WDfXrhmdMBEWYRvgoiV+zmlkeOUT9VZ3auQa08/Dc7B5y6DYvdXIyinqGO3DroVqFRM2VLFlmAGGvhMp6ZQ+8Lcj66I8lqlTkBUr7nTJUuhj+0swqv87N7NOvf+WUivJ7/19U9s/XaiQsz/j9cBMWHyXyWTm15mH8JWy5w16d69x8ugmyf2LR11qQLXedY4OlEB183
Hi Roy,

I believe InCommon requires that your IdP entity ID be from a domain you control. 
AzureAD's entityIds are under https://sts.windows.net/[tenant] and would not qualify.
I don't believe they support editing the IdP entityID.

I believe you would also face issues with the signing keys. AzureAD publishes 3 signing keys, and I believe InCommon's UI supports 2.
We've had a customer experience unexpected SAML key rotation on the free tier of AzureAD. If you experienced such an event it may take over a day to get your updated keys published and distributed through the federation.

- Patrick

On Fri, Jan 26, 2018 at 8:37 AM, Roy Hatcher <> wrote:

Greetings,

 

I'm writing because our institution, University of Arkansas, has begun using AzureAD SSO for single sign-on purposes. However, we have also been running Shibboleth IDP for years, and want to continue to use it, as well, in the near term.

 

We're currently trying to work with a new Service Provider that requires our Metadata be loaded into a federation aggregate, however, we would like to configure this SP to work with AzureAD rather than Shibboleth.

Logging into Federation Manager, there doesn't appear to be a way to allow two different sets of IDP metadata.

 

Is there a method for allowing both our IDP's metadata to be loaded into the InCommon aggregates?

 

Thank you,

Roy

 

--

Roy Hatcher

Security Analyst

University of Arkansas

 

 


Archive powered by MHonArc 2.6.19.

Top of Page