|Applies To||Federated Identity Management Module 4.1|
|Issue||Associating multiple local IdPs entities with one partner SP entity.|
Does FIM support Multiple IdPs with one SP?
In FIM if a partner is engaged with local entity, the same partner cannot be associated with any other local entity. The "Partner should be unique" and two local entities cannot be associated with same partner. Further more in a give association local/partner entity either plays IDP or SP role. Once a partner is associated with a local entity in a given role such as that of IDP even if the partner cannot be used in the role of SP. The SP role can be brought back unless you detach/modify the existing association and change the role.
This is behavior has been in place since the products inception and is the same for SAML 1.1 and SAML 2.0.
The RP by uniqueness is enforced by the recipient URI and in AP by uniqueness of IssuerID. This means you cannot have two partner RPs in the system with same recipient URI, or two partners APs with the same issuer id. The same partner cannot be associated multiple times in a single system. This is a very core assumption in our design and architecture of product. A workaround is to duplicate the partner with different entity ID keeping the same endpoints.
You can have a local SP with multiple IdPs.
The web agent plugin determines the Service Provider Application Path by comparing it with the incoming original URL. This is used to retrieve all the partner IDPs whose association has the same SP Resource Configuration. If the discovery option selected is ?Force the user to authenticate using a specific IDP? then the default partner IDP provided is matched with the partner IDPs retrieved earlier using the SP Resource Configuration. If a match is not found then this exception is thrown.
|Legacy Article ID||a55902|