Hello,
I would like to roll out a federated identity broker (Idp Proxy) setup within IVIA, but am not entirely sure about the support status.
A couple of questions:
- Would multiple nested SSO flows be supported, for example to support both OIDC and SAML through the same Point of Contact WebSEAL?
- Am I correct to assume that partnering is not required, as nested SSO flow is adopted (https://www.ibm.com/docs/en/sva/11.0.0?topic=configuration-nested-single-sign-flows)?
- Are there any other concerns, aside of the limitations mentioned in the first link below which would require to host a separate IVIA federation runtime insstance (or PoC WebSEAL)?
Can the be co-hosted onto an IVIA VM which is already preconfigured with separate SPs, IDPs (and WebSEAL PoC, in case of DEV/LAB setups)?
- Finally, between the nested SSOs, is there a way to inject an AAC access policy within the setup (between nested SSOs)?
I may be asking some questions which are quite straight forward, but I was not able to gather this from the IBM knowledgecenter docs.
In my past experience with TFIM and ISAM rollouts, this subject has always caused some confusion for me in regards to whether this was in fact supported.
References:
https://www.ibm.com/docs/en/sva/11.0.0?topic=overview-known-limitations
https://community.ibm.com/community/user/security/discussion/idp-and-sp-on-same
https://www.ibm.com/support/pages/identity-provider-and-service-provider-not-recommended-be-configured-partners-same-appliance-or-same-external-hvdb