Application Stages and Metadata Generation
jonathan_champ at ncsu.edu
Mon Nov 7 22:03:29 GMT 2011
My goal is to use Shibboleth for authentication only as part of some
applications with multiple stages.
The stages all live on separate boxes and do not need to share a session.
Currently, I have the configuration setup so that there is an
applicationId for myapp and an applicationId for hostedapps, which all
seems to be working.
The issue that I don't know how to solve is what I should send to the
IdP. My original plan was to group it by logical application such that
the Metadata for the entityID https://myapp.example.com/shibboleth would
have the ACS endpoints for https://myapp.example.com/,
https://myapp-qa.example.com/ and https://myapp-dev.example.com/. Then,
I would have a second EntityDescriptor for the hostedapps* hosts.
Is this possible? It seems like this would be the recommended behavior,
so that the IdP Metadata doesn't gain an entity for each stage of each
Please let me know what is recommended as none of the examples I found
on the Shibboleth 2.x wiki provided any example of the way to implement
the given requirement: "Note that each virtual host (combination of
scheme, hostname, and port) operating within a particular SP MUST have
its own set of endpoints expressed in the metadata."
More information about the users