Issue: Using differents idp's to securize different hosts

Eduardo Fernandes edufer at
Mon Sep 12 21:21:21 BST 2011

Hi all.

I just setup Shibboleth SP to use different IdP's using the typical
ISAPI/Site/Alias and RequestMap/Host entries in the Shibboleth2.xml file.
I'm, of course, using IIS with the ISAPI filter.
After doing that everything worked fine. The problem I have is that I'd like
to oblige each site to be securized using a specific IdP. Let me try to
explain it: I'm using the current SP version 2.4.3.

Http get: -> idp1 -> authentication
-> go to resource ok...

After that I have in my browser, among other cookies, the Shibboleth session
cookie. So now I send all the cookies I got from the previous authentication
to other site:

http get -> go to the resource ok.
In my config file I setup that hosts2 should be securized using idp2 but no
authentication is required.

Of course if I just open my browser and ask for hosts2's resource I'm
redirected to idp2 for authentication.

Is there a way to oblige Shibboleth SP to force authentication even if I
resent cookies, etc to hosts2? I read about the forceauth option but this
only will always force authentiction, right?

Many thanks for your help,

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list