Multiple idPs

I think this may be a duplicate of #2479301: WSOD on _simplesaml_auth_autoload() if simplesaml's autoload found, but cannot be loaded

Sorry, wrong issue

The idea may be valid, but a major rewrite could only be done in 4.x as we are still working on 3.x to ensure it works well enough to publish a stable version for 7.x. Given that there is also work invested in the 8.x-3.x version I don't think we will have enough resources to incorporate your changes into these branches in the near future.

I don't believe this is a problem with the current version, since the IdP-handling stuff is already handled by Simplesamlphp? What am I missing here?

Hello, I'm using this approach, and I have two questions.

- I have a problem with the customer_id attribute, is missing and I don't know where is supossed to be configured, but this line in the .inc file:

if(NULL !== $simplesamlphp_authsource && isset($simplesamlphp_authsource->user_customer_id)) {
...

avoid me to create or login users. I force this user_customer_id with the same value of the drupal sp id I'm using to solve this temporally.

- The second question is that the global $_simplesamlphp_auth_saml_attributes is always empty in all the user hooks (user presave, login, create, update...). How is the best way to get the user federated fields? I'm initializing the saml and using the getAuthSourceAttributes() method.

Thanks in advance!!

By this approach do you mean you are using multiple IdPs?

In any case, there should be no need to change the code to customise the module for a particular IdP. All configuration should take place either on the IdP level, or in the simplesamlphp library itself.

For the remaining questions I'd like to ask you to open a separate ticket, this one should be reserved for the discussion around multiple IdP support.

I agree with snufkin that multiple IdPs should be configured in the simplesamlphp library.

Yes, Simplesamlphp handles multiple-IdP stuff. However, that fact is based on the premise that all your customers use the same SAML attributes

Most IdPs will use a fairly standard set of attributes (e.g. eduPerson), however, you can still rename/rewrite/do whatever with the attributes in the simplesaml SP config, either globally per SP/IdP. See https://simplesamlphp.org/docs/1.5/simplesamlphp-authproc#section_2_3

and that you do not mind letting the N user being able to pick her idP (if they know their idP's name) from a Select Box.

Yes, they should know their IdP ('home institution'). You could use pretty-print display names and/or logo's on the WAYF to help them recognise this.

Closing this as 'works as designed', since multiple IdP are effectively supported.

This is still not implemented in Drupal 8 version. The comment using the term "essentially" eludes me. The configuration screens themselves only configure one Idp, so its obvious that multiple idps aren't supported. The shibboleth modules for Drupal are the same.

The language seems to be the issue. Here is my attempt at clarifying this:

- Support for multiple authentication protocols. This is ambiguous and is in the modules description and should be updated.
- Support for many authentication protocols, but only one per Drupal site. This means site admin can pick a single Idp with a single protocol and configuree and use it. This is what is implemented.
- Support for multiple authentication protocols within a Drupal site. This means the site admin can pick and configure more than one Idp for the site. The end user can with select the idp from a pull down or list of urls.

When I rewrote the LDAP module for Drupal 7, I changed it to allow for multiple LDAPs. Took some work but solved many issues.

A workaround is to install one SAML framework for each idp (e.g. install shibboleth, simplesamlphp, and their accompanying modules). With this approach using simplesaml_auth, shib auth, minorange saml, etc you could have 5 or 6 idps. Of course, that is a ridiculous approach.