Idea Details

Allow Multiple IdP entityIDs to be active at one time

Last activity 06-13-2019 09:19 AM
Chris Bertagnolli's profile image
03-17-2015 02:47 PM

Problem Description

CA SSO (as of 12.52 SP1) does not allow multiple partnerships for a single IdP entityID to be active at a time.

 

Problem Impact

Unable to create multiple unique configurations for a single identity provider. This limits the options to integrate with external IdPs in order to support dynamic authentication, identity mapping, and application integrations.

 

Currently having a single IdP 'active' means any dynamic type features requires multiple IdP entities - which may not be available with external partners that only maintain one entityID but support multiple request capabilities - or custom plug-ins etc.

 

Request Change

Allow multiple IdPs to be active at one time. When calling the authnrequest and other Federation services on the SPS or Web Agent Option Pack reference the configuration by NAME rather than entityID.

 

Benefit

Since the IdP partnerships are, to a degree, independent when working solely with them being able to call by NAME/Alias allows better flexibility without custom plug-ins or code. For example, I could have 3x configurations for a partner IdP: (1) has single-factor authncontext processing at level 1, (2) has two-factor authncontext processing at level 2, and (3) has multi-step two-factor authncontext processing at level 3.

 

Authentication flows could then be handled dynamically very easily by simply altering the URL for different NAMS. E.g.,

 

https://mysp.domain.com/affwebservices/public/saml2authnrequest?ProviderID=idp.domain.com-singleFactor

 

https://mysp.domain.com/affwebservices/public/saml2authnrequest?ProviderID=idp.domain.com-twoFactor

 

https://mysp.domain.com/affwebservices/public/saml2authnrequest?ProviderID=idp.domain.com-multiStep


Comments

09-07-2016 05:42 PM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your suggested enhancement. Based on current roadmap priorities and/or the limited amount of community support for this idea, we are not accepting this idea into the product backlog. Therefore, it is being moved to a “Not Planned” status.

10-27-2015 04:43 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your enhancement suggestion and decided to maintain the idea for possible consideration in a future release. The Community will continue to be able to vote on this enhancement idea.

04-14-2015 09:21 AM

 

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers.  Your input is vital to that effort.  The CA Single Sign-On Product Management team is reviewing your enhancement suggestion.  The Community will continue to be able to vote on this enhancement idea.