8:21 a.m.
Hi,
Is it possible to use a different discovery service
depending on the SP
that sent a SAML AuthnRequest to SATOSA, or do I have to do that in the
discovery service's frontend somehow?
There is a way to do this. Here is an outline of the approach:
In your proxy_conf.yaml under 'BACKEND_MODULES' configure two (2) SAML
backends, eg.
BACKEND_MODULES:
- "/etc/satosa/plugins/saml2_backend.yaml"
- "/etc/satosa/plugins/saml2_backend2.yaml"
The two different backend configurations in those files differ in the
following ways:
a) They should have different values for the 'name' field, eg. 'Saml2'
and 'Saml2b'
b) They should have different values for assertion_consumer_service. If
your configuration bases the URL on <name>, then (a) above will suffice.
If you hardcoded the ACS URL then make them differ yourself.
c) They should have different values for 'disco_srv' pointing to the
discovery services you want each to use.
You probably want each backend to use the same value for 'entityid'. If
your configuration bases the entityID on <name> then you should force
them to be the same entityID.
You will need to edit the metadata your SPs see for SATOSA so that the
backend has the multiple ACS URLs.
In your proxy_conf.yaml in the 'MICRO_SERVICES' configuration add the
requester_based_routing.yaml configuration, eg.
MICRO_SERVICES:
- "/etc/satosa/plugins/requester_based_routing.yaml"
Create the configuration for that micro service to map consuming SPs to
the different backends, eg.
module: satosa.micro_services.custom_routing.DecideBackendByRequester
name: RequesterRouter
config:
requester_mapping:
https://sp1.example.org/sp/shibboleth: Saml2
https://sp2.example.org/sp/shibboleth: Saml2b
Scott K