Skip to main content
B
BH_96967491-Visitor
1-Visitor
February 19, 2026
Question

An IDP Broker between IDP Vendors

  • February 19, 2026
  • 1 reply
  • 58 views

Hello,

 

My company has two IDP vendors.  Azure Entra ID, and Okta.  When using Shibboleth, it only allows you to specify one Service Provider.   I know Shibboleth has an add-on package that will let you specify more than one SP, but its complete customization and I see on Google searches that its not a great solution (not supported, completely on your own for troubleshooting)

 

I'd like to know what people have done for a SAML SSO Broker in the middle between the IdPs and Windchill.  Meaning when the user tries to login into Windchill, they get a prompt asking them which IDP they wish to authenticate against from the Broker, and the Broker will route the session to the IDP for Authentication, with the Broker sending the session back to Shibboleth as Authorized.  

 

Ping Federate has this capability, but is $$$$

Ockta does not have this capability.

Azure has this capability in Entra B2B, but would be a massive effort to implement as a NEW IDP vendor corporate wide as Azure sells it as a separate tenant than Entra.

 

Has anyone implemented Passport with Windchill for SAML or OAuth?

https://www.passportjs.org/

 

Other "Brokers" are also welcome...

 

Looking forward to hearing what people have done if they have this use case.

 

1 reply

J
jbailey18-Opal
18-Opal
February 25, 2026

Maybe your B2B comment includes this, but basically you need IdP federation.

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/entra-id-saml-federation-with-an-external-identity-provider/4387780

 

The technical issue is that your IdP needs to know where to send someone from Authentication. This would be an Identity First authentication flow. You may have seen this with google before, where you enter your email address then google sends you to log in. It is evaluating your email to say "hey, you are my.domain.com, so you need to go to Okta" vs "oh, you are My.unique.domain.com, so you need to go to the company Entra IdP"

 

As you surmised, PingFed supports IdFirst auth.  I haven't done anything with IdFirst auth/ IdP federation on Entra - so maybe engage your Entra admins?

Terms & ConditionsCookie settingsAccessibility statement