Shibboleth Developers

Hello

I'm investigating whether Shibboleth can be set up in such a way that we can 
set up one single IdP that can be shared between several organizations, and 
direct the autentication for users towards the correct UserDB inside the 
user's own organization?

We'd base the location of the correct UsedDB on the username, which would 
have a part that identified the home organization of the user. 

This means we're looking to set up Shibboleth in a single, shared IdP 
instance (or several virtual ones) hosted and operated in a separate location 
apart from all the different UserDBs, which would reside inside each of the 
organizations sharing this Shibboleth IdP.

My theory is that it can be done, and that it is possibly not doable straight 
"out of the box" through configurations, but would also entail some 
modifications to the code base.

I would like the views of this list: can it be done? How difficult is it? Has 
anybody tried such a setup?

Any help is greatly appreciated.

Regards,
Nils A Thommesen,
UNINETT, Norway's NREN

P.S. I posted the same question yesterday, in a  more verbose post, to the 
shibboleth-users mailing list. Apologies to those who read both lists. For 
those that would like more background on why we're investigating this, I 
suggest you read that post (archived at 
https://mail.internet2.edu/wws/arc/shibboleth-users/2005-10/msg00107.html)