We have serveral Service Providers and 10 Identity Providers. As soon as
an user hits a service provider with WAYF (Where are you from) and
chooses our IDP Proxy he must get a form to choose any of the IDP's. Of
course the user authenticates and the SAML reponse info must return back
to the originating SP

We would like to use Access Manager 3.2.2 as this IDP Proxy.
So my first thought is :
Define the Identity and Service Providers.
Use the Gateway to host a public page with links to 10 protected
resources (representing the 10 IDP's). Each of these protected pages has
an authentication method to redirect to the IDP's. On a successfull
return, this protected page must copy the SAML attributes form the
repsonse back in the originating response.

Now, we have got a few questions :
Would this be the correct way to set up an IDP Proxy, or is there a
simpler way ?
How and where can we store the originating SAML request in order to
generate an SAML Response, are these environment variables like
simpleSAMLphp does in Apache. (Can we use the liberty profile for that)

When using a "traditional" federation the IDP server must act as an SP,
is that sitting on the IDP box, can we use that. Or is it using the ESP
from the gateway.

We would like to have a direction to go or maybe some samples. We know
it is hardly done so any help is appriciated


dvandermaas's Profile: https://forums.netiq.com/member.php?userid=1956
View this thread: https://forums.netiq.com/showthread.php?t=48788