Although I know it is possible, it seems that the way to do this is awkward!
I have an Identity Provider IdP for SAML 2.0 and multiple partners.

Because there are multiple clients (some internal and some external), I would like provide access to the same Federation (IdP) through different ports/Reverse Proxies.

But on the definition of the Identity Provider, I must specify the Provider ID as well as the Point Of Contact, which are Reverse Proxy dependent!

What is the recommendation for such use case!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

I assume you want to do following

1. Internal request to go to Internal_proxy
2. External request to go to external_proxy

This can be handled easily using LB. LB facing internet would route all the request to external proxy and LB intercepting internal request would route request to internal_proxy.

Please let me know if you need any other information. 


------------------------------
Rahil Anwar
------------------------------

Original Message:
Sent: Sat January 02, 2021 11:51 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Although I know it is possible, it seems that the way to do this is awkward!
I have an Identity Provider IdP for SAML 2.0 and multiple partners.

Because there are multiple clients (some internal and some external), I would like provide access to the same Federation (IdP) through different ports/Reverse Proxies.

But on the definition of the Identity Provider, I must specify the Provider ID as well as the Point Of Contact, which are Reverse Proxy dependent!

What is the recommendation for such use case!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Thanks for your reply, but it does not answer the question.
On the definition of the IdP, we must define 2 parameters: Provider ID and Point of Contact.

Both are Reverse Proxy dependent. How can the same Federation serve 2 different Reverse proxies? What is the recommendation?

For example,

• The Point of Contact should be http[s]://hostname[:portnumber]/junction/sps
• The Provider ID should be point_of_contact _server_URL/federation_name/saml20.

The hostname is the Load Balancer for either Internal or External Virtual IP addresses!
How do you overcome this problem?


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Mon January 04, 2021 12:57 AM
From: Rahil Anwar
Subject: Sharing Federation among Reverse Proxies

Hi Joao,

I assume you want to do following

1. Internal request to go to Internal_proxy
2. External request to go to external_proxy

This can be handled easily using LB. LB facing internet would route all the request to external proxy and LB intercepting internal request would route request to internal_proxy.

Please let me know if you need any other information. 


------------------------------
Rahil Anwar

Original Message:
Sent: Sat January 02, 2021 11:51 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Although I know it is possible, it seems that the way to do this is awkward!
I have an Identity Provider IdP for SAML 2.0 and multiple partners.

Because there are multiple clients (some internal and some external), I would like provide access to the same Federation (IdP) through different ports/Reverse Proxies.

But on the definition of the Identity Provider, I must specify the Provider ID as well as the Point Of Contact, which are Reverse Proxy dependent!

What is the recommendation for such use case!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Dear Joao,

We have done the same in our environment. No need to specify 2 URL in federation configuration. 

please check with LB team

------------------------------
Rahil Anwar
------------------------------

Original Message:
Sent: Mon January 04, 2021 06:42 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Thanks for your reply, but it does not answer the question.
On the definition of the IdP, we must define 2 parameters: Provider ID and Point of Contact.

Both are Reverse Proxy dependent. How can the same Federation serve 2 different Reverse proxies? What is the recommendation?

For example,

• The Point of Contact should be http[s]://hostname[:portnumber]/junction/sps
• The Provider ID should be point_of_contact _server_URL/federation_name/saml20.

The hostname is the Load Balancer for either Internal or External Virtual IP addresses!
How do you overcome this problem?


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon January 04, 2021 12:57 AM
From: Rahil Anwar
Subject: Sharing Federation among Reverse Proxies

Hi Joao,

I assume you want to do following

1. Internal request to go to Internal_proxy
2. External request to go to external_proxy

This can be handled easily using LB. LB facing internet would route all the request to external proxy and LB intercepting internal request would route request to internal_proxy.

Please let me know if you need any other information. 


------------------------------
Rahil Anwar

Original Message:
Sent: Sat January 02, 2021 11:51 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Although I know it is possible, it seems that the way to do this is awkward!
I have an Identity Provider IdP for SAML 2.0 and multiple partners.

Because there are multiple clients (some internal and some external), I would like provide access to the same Federation (IdP) through different ports/Reverse Proxies.

But on the definition of the Identity Provider, I must specify the Provider ID as well as the Point Of Contact, which are Reverse Proxy dependent!

What is the recommendation for such use case!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Joao, Rahil,

I suspect that in the environment Rahil has set up, both internal and external users are using the SAME DNS name (which resolves to Global LB) - but are then being directed to different Reverse Proxy clusters based on source.  You could achieve a similar result by having internal and external systems use different DNS (which returns different cluster IP for internal and external).

In the case where the DNS hostname for each cluster is different (which sounds like the case for Joao's environment) I think you will still need different federation definitions for the internal and external channels.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon January 04, 2021 07:13 AM
From: Rahil Anwar
Subject: Sharing Federation among Reverse Proxies

Dear Joao,

We have done the same in our environment. No need to specify 2 URL in federation configuration. 

please check with LB team

------------------------------
Rahil Anwar

Original Message:
Sent: Mon January 04, 2021 06:42 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Thanks for your reply, but it does not answer the question.
On the definition of the IdP, we must define 2 parameters: Provider ID and Point of Contact.

Both are Reverse Proxy dependent. How can the same Federation serve 2 different Reverse proxies? What is the recommendation?

For example,

• The Point of Contact should be http[s]://hostname[:portnumber]/junction/sps
• The Provider ID should be point_of_contact _server_URL/federation_name/saml20.

The hostname is the Load Balancer for either Internal or External Virtual IP addresses!
How do you overcome this problem?


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon January 04, 2021 12:57 AM
From: Rahil Anwar
Subject: Sharing Federation among Reverse Proxies

Hi Joao,

I assume you want to do following

1. Internal request to go to Internal_proxy
2. External request to go to external_proxy

This can be handled easily using LB. LB facing internet would route all the request to external proxy and LB intercepting internal request would route request to internal_proxy.

Please let me know if you need any other information. 


------------------------------
Rahil Anwar

Original Message:
Sent: Sat January 02, 2021 11:51 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Although I know it is possible, it seems that the way to do this is awkward!
I have an Identity Provider IdP for SAML 2.0 and multiple partners.

Because there are multiple clients (some internal and some external), I would like provide access to the same Federation (IdP) through different ports/Reverse Proxies.

But on the definition of the Identity Provider, I must specify the Provider ID as well as the Point Of Contact, which are Reverse Proxy dependent!

What is the recommendation for such use case!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Jon,

Agree in case you need different name for external and internal DNS then you need to configure different federation.

------------------------------
Rahil Anwar
------------------------------

Original Message:
Sent: Mon January 04, 2021 07:21 AM
From: Jon Harry
Subject: Sharing Federation among Reverse Proxies

Joao, Rahil,

I suspect that in the environment Rahil has set up, both internal and external users are using the SAME DNS name (which resolves to Global LB) - but are then being directed to different Reverse Proxy clusters based on source.  You could achieve a similar result by having internal and external systems use different DNS (which returns different cluster IP for internal and external).

In the case where the DNS hostname for each cluster is different (which sounds like the case for Joao's environment) I think you will still need different federation definitions for the internal and external channels.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon January 04, 2021 07:13 AM
From: Rahil Anwar
Subject: Sharing Federation among Reverse Proxies

Dear Joao,

We have done the same in our environment. No need to specify 2 URL in federation configuration. 

please check with LB team

------------------------------
Rahil Anwar

Original Message:
Sent: Mon January 04, 2021 06:42 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Thanks for your reply, but it does not answer the question.
On the definition of the IdP, we must define 2 parameters: Provider ID and Point of Contact.

Both are Reverse Proxy dependent. How can the same Federation serve 2 different Reverse proxies? What is the recommendation?

For example,

• The Point of Contact should be http[s]://hostname[:portnumber]/junction/sps
• The Provider ID should be point_of_contact _server_URL/federation_name/saml20.

The hostname is the Load Balancer for either Internal or External Virtual IP addresses!
How do you overcome this problem?


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon January 04, 2021 12:57 AM
From: Rahil Anwar
Subject: Sharing Federation among Reverse Proxies

Hi Joao,

I assume you want to do following

1. Internal request to go to Internal_proxy
2. External request to go to external_proxy

This can be handled easily using LB. LB facing internet would route all the request to external proxy and LB intercepting internal request would route request to internal_proxy.

Please let me know if you need any other information. 


------------------------------
Rahil Anwar

Original Message:
Sent: Sat January 02, 2021 11:51 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Although I know it is possible, it seems that the way to do this is awkward!
I have an Identity Provider IdP for SAML 2.0 and multiple partners.

Because there are multiple clients (some internal and some external), I would like provide access to the same Federation (IdP) through different ports/Reverse Proxies.

But on the definition of the Identity Provider, I must specify the Provider ID as well as the Point Of Contact, which are Reverse Proxy dependent!

What is the recommendation for such use case!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

If you want to stick to 1 federation definition only, you could define the federation's local address as the point of contact (with local I mean the target of the /isam junction from the internal and external webseal).
If the partners (SPs) are proxy-integrated behind the same webseal, all the SAML operations would work due to webseal's filtering capabilities.

But if a SP is not proxy-integrated via junction, then all those SAML operations would probably fail, where the SP has to send messages to the IdP: SP initiated SSO, SLO.
At least IdP intiated SSO will still work.

Frank

------------------------------
Frank Thurau
------------------------------

Original Message:
Sent: Mon January 04, 2021 06:42 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Thanks for your reply, but it does not answer the question.
On the definition of the IdP, we must define 2 parameters: Provider ID and Point of Contact.

Both are Reverse Proxy dependent. How can the same Federation serve 2 different Reverse proxies? What is the recommendation?

For example,

• The Point of Contact should be http[s]://hostname[:portnumber]/junction/sps
• The Provider ID should be point_of_contact _server_URL/federation_name/saml20.

The hostname is the Load Balancer for either Internal or External Virtual IP addresses!
How do you overcome this problem?


------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Mon January 04, 2021 12:57 AM
From: Rahil Anwar
Subject: Sharing Federation among Reverse Proxies

Hi Joao,

I assume you want to do following

1. Internal request to go to Internal_proxy
2. External request to go to external_proxy

This can be handled easily using LB. LB facing internet would route all the request to external proxy and LB intercepting internal request would route request to internal_proxy.

Please let me know if you need any other information. 


------------------------------
Rahil Anwar

Original Message:
Sent: Sat January 02, 2021 11:51 AM
From: Joao Goncalves
Subject: Sharing Federation among Reverse Proxies

Although I know it is possible, it seems that the way to do this is awkward!
I have an Identity Provider IdP for SAML 2.0 and multiple partners.

Because there are multiple clients (some internal and some external), I would like provide access to the same Federation (IdP) through different ports/Reverse Proxies.

But on the definition of the Identity Provider, I must specify the Provider ID as well as the Point Of Contact, which are Reverse Proxy dependent!

What is the recommendation for such use case!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------