IdP Proxying

Universities and Colleges operating within the UK federation often have multiple Identity Providers within their organisations, and we are frequently asked about the Inter-operability of SAML Identity Provider (IdP) products such as Microsoft Azure, Microsoft AD FS (Active Directory Federation Services) and Net IQ Access Manager (NAM).

Unfortunately, many of these IdPs cannot inter-operate within a multi-lateral mesh federation such as the UK federation (and by extension eduGAIN). Additionally, organisations may operate other single sign-on systems such as CAS (Central Authentication Service), which because they use the CAS protocol which is incompatible with the SAML protocol used within the UK federation.

There are advantages and disadvantages to IdP Proxying these are:

Advantages

  • A true single sign-on experience for your end-users
  • Ability to leverage functionality available in the other IdP (e.g. within Azure, the Azure Multi-Factor Authentication solution and some aspects of conditional access), without requiring additional support within the Shibboleth IdP

Disadvantages

  • A more complex infrastructure that utilises multiple IdPs and a SAML SP, potentially has more single points of failure and is more difficult to explain.
  • Users loss of experience of the authentication flow at the IdP that is participating in the UK federation
    • Loss of Metadata User Information (mdui) from the SP metadata, this can be mitigated by using the Consent module in the Shibboleth IdP.
    • Loss of control of elements of the process such as Multi-Factor Authentication, where this would either be on or off for all federated services, based on the Other IdPs configuration.
  • If you're considering dropping a local attribute resolver in favour of a directory-less IdP then you'll need to make sure that you don't use any back-channel SAML flows (which will no longer work).

Options available to organisations