Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

It's easy to configure an IdP to simultaneously use multiple LDAP directories with different user bases. However, be careful that the same user key is not present in both directories, or you might end up releasing combined and incorrect attribute sets for some users. You'll need to point to both LDAP servers in two ways: the attribute resolver for attributes, and authentication with both directories. The attribute query will try both directories no matter which directory contains the user. There is no way for the IdP to guess which directory the user is in, so it can only try them in the order you define them.

For sanity's sake, you shouldn't use one IdP to represent disparate security domains.

Authentication

JAAS, which the IdP uses, supports authentication chaining. See their documentation for more information.

The authentication process may try one or both directories. There is no way for the IdP to guess which directory the user is in, so it can only try them in the order you define them.

Attributes

Define an LDAP data connector for each directory, and add two Dependency elements to every attribute you want to pull from both directories. The attribute query will try both directories no matter which directory contains the user. There is no way for the IdP to guess which directory the user is in, or whether the user is present in both.

  • No labels