I had an interesting use case come up this morning and I am wondering if there are any “federation” products that can handle this use case. My client would like to configure the IDP to handle different sets of users (let’s call them “internal” and “external”). To avoid the external users from being redirected to the IDP directly it has been front-ended with a proxy (Apache HTTP) located in the DMZ. Internal users should have access to the same same SPs … but probably don’t want the internal users getting redirected to the proxy located in the DMZ. One of the products that I work with can only have one “server url” configured (that I know of) … do other products allow for multiple URL’s to be configured? Would love to hear if this is actually a “problem” and if so how other vendors have implemented. The easy solution on our part is to deploy another federation server (IDP) to handle the different users … personally I hate to keep telling the customer to deploy a new instance each time a new use case comes up. I don’t think that scales very well.
Pingback: Brad Tumy – Oracle: SAML IDP with multiple inbound URLs? possible? #SAML #IDM #identity #infosec … « oracleidentitymanagement
Depends how your load balancing and DNS are configured, but you should be able to use these so that the same name resolves to the proxy for external users, but direct to the hosts / load-balancer for internal users (or deploy an internal apache that resolves the same name as the external one, for the same effect)
what Nick said. It’s usually called “Split DNS” – the internal users go one place and external users go somewhere else. It’s quite common.
Its very easy with Tremolo Prelude. Every IdP is configured as a URL so you can just setup separate IdPs in the same Prelude instances based on different URLs and point both DNS entries to the same IP addresses. If you want it the other way, where both URLs point to the same IdP and configuration thats very easy too since each IdP can have multiple hosts associated with it.
Thanks for the feedback guys. I was concerned with configuring the URL in server properties and being restricted to offering the same URI for both internal and external. I think this can be overcome by managing at the DNS level as opposed to the Server level. Thanks again, good conversation!