000011637 - Associating multiple local IdPs entities with one partner SP entity.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011637
Applies ToFederated Identity Management Module 4.1
IssueAssociating multiple local IdPs entities with one partner SP entity.
Does FIM support Multiple IdPs with one SP?

In FIM if a  partner is engaged with local entity, the same partner cannot be associated with any other local entity.  The "Partner should be unique" and two local entities cannot be associated with same partner. Further more in a give association local/partner entity either plays IDP or SP role. Once a partner is associated with a local entity in a given role such as that of IDP even if the partner cannot be used in the role of SP. The SP role can be brought back unless you detach/modify the existing association and change the role.

This is behavior has been in place since the products inception and is the same for SAML 1.1 and SAML 2.0.

The RP by uniqueness is enforced by the recipient URI and in AP by uniqueness of IssuerID.  This means you cannot have two partner RPs in the system with same recipient URI, or two partners APs with the same issuer id. The same partner cannot be associated multiple times in a single system.  This is a very core assumption in our design and architecture of product. A workaround is to duplicate the partner with different entity ID keeping the same endpoints. 

You can have a local SP with multiple IdPs.

The web agent plugin determines the Service Provider Application Path by comparing it with the incoming original URL.   This is used to retrieve all the partner IDPs whose association has the same SP Resource Configuration. If the discovery option selected is ?Force the user to authenticate using a specific IDP? then the default partner IDP provided is matched with the partner IDPs retrieved earlier using the SP Resource Configuration. If a match is not found then this exception is thrown.
If the WebAgent plugin is unable to retrieve the original URL then a failure will occur.   Each web agent uses its own method to determine the original URL.  For example the CTWebAgent Plugin retrieves it from the parameter CT_ORIG_URI and the DemoWebAgent Plugin from the parameter ORIGINAL_URL. 


Legacy Article IDa55902