F5 SAML as IdP - Architecture Question

Hi Luis,

Here is my two cents;

• The IdP will normally be configured (especially for public applications) using a FQDN. As such, wherever the client resolves the FQDN to, will be the IdP from the client's perspective. This means that technically, if you resolve the DNS entry differently for external and internal users, you could have an IdP on two different IP's.
• I don't think there is a technical limitation to having multiple different IdP's and having them operate as one, but all scenarios I have worked with, it's always been 1 IdP per organisation per application and I wouldn't recommend having more than one IdP per organisation per application.
• Different applications within the same organisation could be a different story - again, not common, but more likely. As the IdP is configured on an per-SP basis, you could point SP1 to IdP1 and SP2 to IdP2.
• If it was up to me, and the IdP is already at the edge and serving up responses for external clients, I would probably let my internal users connect to the same IdP with the same IP to give a clear single entrypoint for any IdP traffic and it means I only have to monitor and control this one IdP and entrypoint.
• I would probably also use this one single IdP for all SP's that I have control over. This will greatly improve session control, SingleLogin and SingleLogout capabilities and centralized management overall.

Hope this helps.