SAML with multiple IdP: always uses first active

1
Hi All, We implemented SSO with SAML2 module which works fine. We added a second IdP in the configuration and used the option to specify which IdP to use in the URL. This looks like: /sso/login/ADFS /sso/login?_idp_id=ADFS /sso/login/SurfConext /sso/login?_idp_id=SurfConext We have configured both aliases in the configuration section and both also work individually. When we toggle both providers as active the first active IdP will always be used despite adding the preferred alias... Any ideas what is wrong? Best Regards, Willem Jan
asked
1 answers
3

I too recently discovered this is broken. I have created a fix that is currently being tested at a client, and which I will try to make available via the appstore soon.

If you don't mind doing the dirty work yourself, you can edit the following Java files. As I said, this is not confirmed to work 100% yet, so at your own risk :)

saml20/implementation/metadata/IdPMetadata.java, lines 136-151 (function findSupportedEntity()), replace with:

public Metadata findSupportedEntity(String entityId) {
    if (this.metadataSet.containsKey(entityId)) {
        return this.metadataSet.get(entityId);
    }

    if (this.AliasSet.containsKey(entityId)) {
        if (this.metadataSet.containsKey(this.AliasSet.get(entityId))){
            return this.metadataSet.get(this.AliasSet.get(entityId));
        }
    }

    _logNode.debug("No supported Entity Ids found in set: " + entityId + " supported ids: " + this.metadataSet.keySet() + ", aliases: " + this.AliasSet.keySet());

    return null;
}

And saml20/implementation/LoginHandler.java lines 57-59 (just before the if(metadata!=null), replace by

metadata = idpMetadata.findSupportedEntity(samlIdp);
answered