Hi Community,

We found some design difference between ISAM Fed and TFIM.
TFIM allows multiple service providers having same partner id (but different ACS)
ISAM doesn't allow to load metadata at all if partner id already exists.
It means ISAM checks the partner id uniqueness. However, it allows to add multiple ACS, but not sure how this ACS is going to work if request is coming from same partner ID, I mean how ISAM will pick correct ACS in IDP initiated flow?

If this is by design of ISAM, then I think this as a big design gap.
How moving forward clients are going to upload metadata to ISAM if ISAM doesn't allow same partner id? Do we need to manually add ACS config? But what if the new metadata with same partner id have different certificates? This seems to me design gap in ISAM, is there any alternative or resolution of this?

We have existing 100 over service providers having same partner ids but different ACS and different certs, not sure how to resolve this issue? Any help?

------------------------------
Amitesh Singh
------------------------------

Hi,

Anyone from IBM team can help to answer my question and help me to find out alternative way to achieve it?

------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: Fri October 18, 2019 01:01 AM
From: Amitesh Singh
Subject: TFIM vs ISAM - Design Gap

Hi Community,

We found some design difference between ISAM Fed and TFIM.
TFIM allows multiple service providers having same partner id (but different ACS)
ISAM doesn't allow to load metadata at all if partner id already exists.
It means ISAM checks the partner id uniqueness. However, it allows to add multiple ACS, but not sure how this ACS is going to work if request is coming from same partner ID, I mean how ISAM will pick correct ACS in IDP initiated flow?

If this is by design of ISAM, then I think this as a big design gap.
How moving forward clients are going to upload metadata to ISAM if ISAM doesn't allow same partner id? Do we need to manually add ACS config? But what if the new metadata with same partner id have different certificates? This seems to me design gap in ISAM, is there any alternative or resolution of this?

We have existing 100 over service providers having same partner ids but different ACS and different certs, not sure how to resolve this issue? Any help?

------------------------------
Amitesh Singh
------------------------------

Hi Amitesh,

We are investigating this, we will get back to you ASAP.

------------------------------
Sumana Narasipur
------------------------------

Original Message:
Sent: Sun October 20, 2019 07:50 AM
From: Amitesh Singh
Subject: TFIM vs ISAM - Design Gap

Hi,

Anyone from IBM team can help to answer my question and help me to find out alternative way to achieve it?

------------------------------
Amitesh Singh

Original Message:
Sent: Fri October 18, 2019 01:01 AM
From: Amitesh Singh
Subject: TFIM vs ISAM - Design Gap

Hi Community,

We found some design difference between ISAM Fed and TFIM.
TFIM allows multiple service providers having same partner id (but different ACS)
ISAM doesn't allow to load metadata at all if partner id already exists.
It means ISAM checks the partner id uniqueness. However, it allows to add multiple ACS, but not sure how this ACS is going to work if request is coming from same partner ID, I mean how ISAM will pick correct ACS in IDP initiated flow?

If this is by design of ISAM, then I think this as a big design gap.
How moving forward clients are going to upload metadata to ISAM if ISAM doesn't allow same partner id? Do we need to manually add ACS config? But what if the new metadata with same partner id have different certificates? This seems to me design gap in ISAM, is there any alternative or resolution of this?

We have existing 100 over service providers having same partner ids but different ACS and different certs, not sure how to resolve this issue? Any help?

------------------------------
Amitesh Singh
------------------------------