Application Stages and Metadata Generation

Jonathan Champ jonathan_champ at
Mon Nov 7 22:03:29 GMT 2011


My goal is to use Shibboleth for authentication only as part of some
applications with multiple stages.

The stages all live on separate boxes and do not need to share a session.

Production Box:

QA Box:

Development Box:

Currently, I have the configuration setup so that there is an
applicationId for myapp and an applicationId for hostedapps, which all
seems to be working.

The issue that I don't know how to solve is what I should send to the
IdP. My original plan was to group it by logical application such that
the Metadata for the entityID would
have the ACS endpoints for, and Then,
I would have a second EntityDescriptor for the hostedapps* hosts.

Is this possible? It seems like this would be the recommended behavior,
so that the IdP Metadata doesn't gain an entity for each stage of each
logical application.

Please let me know what is recommended as none of the examples I found
on the Shibboleth 2.x wiki provided any example of the way to implement
the given requirement: "Note that each virtual host (combination of
scheme, hostname, and port) operating within a particular SP MUST have
its own set of endpoints expressed in the metadata."

Thank you,

Jonathan Champ

More information about the users mailing list