Identity Providers partitioning

Identity Providers partitioning divides Identity Providers repository into partitions. It means that IdP for specific IdP type must be unique within each partition (except SAML IdP).

Prerequisites

Please read Persons partitioning topic guide before reading this topic guide, as IdP partitioning is based on the same mechanisms.

IdP Global partition

There is a special partition called Global. If IdP is defined in Global partition it is available in all partitions (only Username and Password IdP is supported). Additionally if Username and Password IdP is defined in Global partition, there is no possibility to add new Username and Password IdP for any specific partition.

Example

Extension is configured to with 2 valid partitions (PartitionIdListProvider interface):

  • p1
  • p2

PreSessionProcessExtension on the extension side is configured as follows:

Hostname Active partition
http://idp-core-1.dev.onegini.me p1
http://idp-core-2.dev.onegini.me p2

And Onegini IdP is configured to contain following IdPs in the admin panel:

IdP name IdP Type Partition
unp Username and Password Global
fb1 Facebook p1
fb2 Facebook p2
  1. If user enters http://idp-core-1.dev.onegini.me and wants to register using Username and Password IdP, then unp is chosen, because there is no Username and Password IdP defined in partition p1.
  2. If user enters http://idp-core-1.dev.onegini.me and wants to register using Facebook Idp, then fb1 is chosen.
  3. If user enters http://idp-core-2.dev.onegini.me and wants to register using Facebook Idp, then fb2 is chosen.