Gluu is currently evaluating the idea of incorporating the Asimba SAML platform on the Gluu Server (in addition to Shibboleth). SAML can be confusing, even to the experts. We at Gluu worked on the diagram below as a simple overview of why a SAML proxy might be useful, and where it would fit in the Gluu open source stack.
A few things to note:
The main advantage of the proxy is a very simple configuration for the SP. If the website is a SaaS or off-the-shelf software, you may only get one way to trust the IDP. Discovery and re-direction to your respective home domain IDP are handled by the proxy.
Internal websites that don’t care about other federated IDPs can just point to your SAML IDP directly.
Applications using the Asimba proxy can request a specific authentication type via SAML ACR request.
Authentication business logic is handled in OX–no need to support 2FA in both SAML and OAuth2.
In many cases, the OX OP also grabs a legacy SSO ticket (i.e. CAS, Siteminder, etc.)
In a federation with many IDPs, if the participants trust the federation operator, it is efficient for the federation operator to manage trust with the websites. For example, instead of updating 1,000 IDPs to update their configuration, just update the proxy.