Hello Pierre,
First off all, thanks a lot for your reply, @Pierre Audonnet - MSFT .
To give you more details, some users are connected to an external portal and wants to access to an application federated by ADFS without sign-in again:
- The user is connected to his external portal with is external credentials (external ID/PWD)
- He wants to access to an application federated by my ADFS
- I declared the external IdP as CPT in ADFS so ADFS received a SAML Assertion with the external ID
- ADFS must find the corresponding LDAP ID and send it as output claim
The CPT provides only the external ID because the mapping is stored in my LDAP directory.
It's a legacy made for security considerations and because an internal ID can be map with several external portals.
So there is a multivalued attribute wich store this mapping in LDAP user entries.
I will follow your advice and check if my LDAP supports GSSAPI.
I don't think I can skip the attribute store because there is no corellation between external and internal ID.
That's why I tried to configure a delegation between the external IdP and my ADFS followed by a mapping in ADFS, but maybe there is a better scenario.
Regards.
Cédric