Using WAYF/Discovery with shibboleth

Question

Using WAYF/Discovery with shibboleth

Closed this issue 3 months ago · 1 comments

Is it possible to configure python3-saml to use a WAYF/discovery service with shibboleth and how would the configuration for that look like? Like a matching config for something like

<SSO discoveryProtocol="SAMLDS" discoveryURL="https://wayf.aai.dfn.de/DFN-AAI-eduGAIN/wayf">
    SAML2
</SSO>

Answer 1 · 2024-06-26T09:21:38.000Z

That feature is not supported by the toolkit.

But if you plan to support multiple IdPs in your app, there is many ways to support the way IdPs gonna be discovered:

In a multi tenancy environment, use subdomain or URL path to isolate customers and related IdPs.
In a single environment, use GET parameters on the SAML endpoints to determine what IdPs should be used, and discover this by extending login page and :
a) Offer user a list of different IdPs to be accessed via click.
b) Ask user for email, and use the email domain to relate to a specific customer and related IdP.