The OpenSSO Enterprise Identity Provider Proxy is designed to enable the following:
Identity Providers can proxy an authentication request from a Service Provider to a different Identity Provider that has already authenticated the user.
Multiple Identity Provider Proxies can be configured between the Service Provider and the actual Identity Provider.
Existing SAMLv2 single sign-on and single logout process flows are seamlessly integrated.
Users can turn off identity proxying per each connection request. This is done by specifying a special URL parameter idpproxy=false.
Administrators can use customized SPI plug-ins with the Identity Provider Proxy to determine the user's preferred Identity Provider.
OpenSSO Enterprise provides the SPI com.sun.identity.SAMLv2.profile.SAMLv2IDPProxy and SPI which enables an administrator to customize the plug-in used to find a preferred identity provider. If the Introduction Cookie is enabled, the Identity Provider Proxy relies on the plug-in to determine the user's preferred Identity Provider. The default implementation of this plug-in interface in OpenSSO Enterprise is based on the Identity Provider Discovery Service. The Identity Provider Discovery Service can help retrieve information about the preferred Identity Provider. The details of this SPI are described in the Sun OpenSSO Enterprise 8.0 Java API Reference.
In this first offering of Identity Provider Proxy, the same protocol (for example OASIS SAMLv2 or Liberty ID-FF) must be used for all communications between the participating entities. Participating entities may include service providers, intermediate identity provider proxies, and the actual Identity Provider. However, Identity Provider Proxy is planned to be extended in the future to support heterogeneous environments with multiple identity federation protocols. For example, in the future, Identity Provider Proxy may be used in an environment using SAMLv2 between Service Provider and Identity Provider Proxy. In the same environment, Liberty ID-FF might be used between the Identity Provider Proxy and the actual Identity Provider.