SAML newbie question - do cross IdP trusts exist in SAML?

[Krishna Ganugapati <kganugapati@gmail.com>]

Hello I'm generally familiar with Kerberos realms. Here is my questions. What is the equivalent of cross realm trusts in the SAML world - is there the equivalent of cross IdP trusts

 

In kerberos, if I have two realms where the user X is a member of Realm A and the service Z is a member of Realm B, cross realm trusts allow for user  X to get a TGT from Realm A followed by a TGT from Real B followed by a service ticket for service Z

 

Does this equivalent exist in SAML? All of the examples I see involve a user, a single IdP and an SP. User attempts to contact  SP, SP refers him to IdP, IdP issues security token to user, user passes security token to  SP. It appears that the SP refers the user to the IdP.

 

In the scenario I'm looking at

 

In my SAML scenario, there are two IdPs  (IdP1 and IdP2) that trust each other.  User  X is known by IdP1 and  SP  Z trusts IdP2. IdP1 and IdP2 trust each other. 

 

a) What is the protocol sequence here? Given that SPs refer users to an IdP, it's like a reverse Kerberos referral model.  Would SP refer user X to IdP2 who in turn refers X to IdP1 which results then in a security token from IdP1, followed by a security token from IdP2, followed by access to the resource

 

b) If a) is correct, could someone point me to the drafts that do this?

 

c)  Do  existing SAML toolkits do something like this?