Is there such a thing as IDP -> to IDP -> authentication? (SAML2)

Hi all! Posted this on reddit figured I’d cross post here too…

Is there such a think as IDP to IDP authentication?

Where I work we have this setup:

[Client IDP] <----> [Work SP]

– Client gets authenticated thru their portal

– Client navigates to our site, because we are setup as sp then they are authenticated to our site via saml2

What they want

[Client IDP] <----> [Work SP]

[Work IDP] <----> [VendorSP]

– Client gets authenticated thru their portal

– Client navigates to our site, because we are setup as sp then they are authenticated to our site via saml2

– Client navigates to vendor thru out site and are authenticated via Work IDP.

If everything was going thru a single IDP this would be easy.

Is what I’m being asked to do even possible? I’ve never heard of anything like IPD to IDP communication. It would be like logging into Google with your Apple account…

If anyone has some insight or advice I’d appreciate it!

I can’t tell from your description if the federated authentication model that InCommon / EduRoam uses is similar or not, but certainly it’s possible to trust other authentication domains. That kind of thing has been true even with things like Kerberos and cross-realm trusts, but federated Shibboleth or similar seems closer to what you’re asking about.

Late reply, but yea got is sorted using identity federation. All good! Wish keycloak used consistent verbiage so identity brokering is essentially identity
federated.