<div dir="ltr"><div><div><div>Hi,<br><br></div>The RP should be able to do that actually.<br></div>The access token is a JWT (as other products do). Therefore, based on the "iss" claim, the RP should be able to know which IDP to call.<br><br></div><div>If you want one instance to do it, you would need to overwrite the class org.mitre.oauth2.web.IntrospectionEndpoint which is responsible of the token validation and implement the logic you describe. In any case, it is not possible out-of-the-box.<br></div><div><br><br><br></div>Y.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 5, 2016 at 4:23 PM, Michael Furman <span dir="ltr"><<a href="mailto:michael_furman@hotmail.com" target="_blank">michael_furman@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div id="m_544548933931636255divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<p></p>
<div>
<p class="MsoNormal">Hi all,</p>
<p class="MsoNormal">Is it possible to configure trust between 2 IDPs?</p>
<p class="MsoNormal">Is the IDP federation supported by specs?</p>
<p class="MsoNormal">I do not mean IDP clustering (or high availability).</p>
<p class="MsoNormal">I want to be able to configure the primary IDP and the secondary IDP.</p>
<p class="MsoNormal">Each IDP can have its own user repository.</p>
<p class="MsoNormal">RP always works with the primary IDP.</p>
<p class="MsoNormal">If a user authentication is failed against the primary IDP, the primary IDP negotiates with the secondary IDP.</p>
<p class="MsoNormal">Is it possible?</p>
<p class="MsoNormal">Thank you in advance for your help.</p>
<p class="MsoNormal">Best regards,</p>
<p class="MsoNormal"><span> </span>Michael</p>
</div>
<br>
<p></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
mitreid-connect mailing list<br>
<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/mitreid-<wbr>connect</a><br>
<br></blockquote></div><br></div>