Filter entities globally?

[dnmvisser]

According to the docs, filtering identity providers is possible per SP.

We have 100s of SPs, and now I'm looking for a way to show a specific IdP only for a few SPs.

The only way I could make this work was by applying a snippet to those few SPs:

  'discopower.filter' => [
      'tags.include' => [
         'all'
      ],
      'entities.include' => [
          'https://needle.idp',
      ],
  ],

and then on every other SP excluding it:

  'discopower.filter' => [
      'entities.exclude' => [
          'https://needle.idp',
      ],
  ],

As said this works but a bit cumbersome as I'd have to make sure this will be there for each new SP etc.

Would it makes sense to be able to supply such a config at a higher level, for example in saml20-idp-hosted.php or some other place?

[tvdijen]

saml20-idp-remote.php would make sense, not saml20-idp-hosted.php.
I'm thinking something similar to how OpenConext does this; you can whitelist IdP on SP-level, and/or you can whitelist SPs on IdP-level.. Both have to allow the route for it to show in the discovery page.

I'm a little worried though, that by adding such functionality, we end up competing with products like OpenConext while the SAML-proxy isn't really our strongest point.

[thijskh]

I would be in favour of adding it. It's really not complex to implement (so we're not quite at the OpenConext level of complexity) so the costs are low and it's likely to solve some real world use cases.