I been thinking who to design a solution for a customer.
They have a Access Manager that we are doing federation with among other
Now they have a application that can act as a SP and AM can of course be
the IDP but the identities of the users that should be logging on to the
application is in a other directory (government) that has its own IDP.
Customer does not want to let the application be directly connected to
the internet or the other preferably other IDP.
Is there a way to let AM be the IDP for the application and at the same
time use external IDP to verify the users? I know that there is IDP
brokering that should work like this, but one important thing is that
customer has to have save the users objects in a directory.
Is there a better way to do this, one option would be to only be the
proxy in front of the application and let it handle the saml stuff on
its own.
One other thing I been thinking about is if it's possible that AM is the
SP and pass the attributes (or perhaps the saml ticket) on to the
application, but same thing there I haven't done that and don't know if
its works that way, would the application be able to retrieve the
information and use that.


lelle's Profile: https://forums.netiq.com/member.php?userid=410
View this thread: https://forums.netiq.com/showthread.php?t=57011