It is now possible to configure connections to multiple SAML Identity Providers, when Liferay is acting as a Service Provider. These can each authenticate the same or different set of users, giving great flexibility to how users are managed and access is controlled.
By default, the SAML plugin will allow the user to select the Identity Provider he or she would like to sign in with, but this behavior can easily be changed by registering a custom com.liferay.saml.runtime.servlet.profile.SamlSpIdpConnectionsProfile (provided by com.liferay.saml.api module) service in OSGi.
This requires the developer to only implement one method: isEnabled(SamlSpIdpConnection, HttpServletRequest). The service will be invoked for every configured Identity Provider connection at the time when the standard portal Login Action is requested (for example when a user clicks the "sign in" link), as represented by the HttpServletRequest, provided as parameter. The developer then simply returns true for the Identity Providers that the user should be able to select from.
Whenever exactly one Identity Provider is enabled for the HttpServletRequest, the user will be automatically redirected to it without needing to make a selection.
Whenever no Identity Provider is enabled for the HttpServletRequest, the behavior is dependent upon a new SAML Service Provider configuration setting: com.liferay.saml.runtime.configuration.SamlProviderConfiguration.allowShowingTheLoginPortlet() ("Allow showing the login portlet") . This can be set via the Service Provider administration UI. When set to true, the Service Provider will delegate to the normal Login Action. Which out of the box means presenting a email address & password sign in prompt. When set to false, a message stating no Identity Provider is available to sign the user in is presented.
Below is a simple example implementation of SamlSpIdpConnectionProfile which only allows login via Identity Providers whose connection name contains the string "IDP".