SSO Implementation

Peter Schober peter.schober at
Thu Nov 1 06:29:37 EDT 2012

* Raz's <gajula.rajashekhar at> [2012-11-01 10:20]:
> No progress after modification of the metadata as per your specification
> and also when i'm trying to access the ** then *
>* is showing @ ** idp logon page after
> successful authencation same error message am getting and also sessions are
> created for ** not for the * *on *

I don't understand any of that. Adding the other vhosts to ACS URLs
works and is sufficient for what you asked for.

The IdP will check any ACS URLs from the SP's authentication request
against metadata. so each and every vhost you want your SP to be
"active" needs to be presented in metadata. The simplest way to
achieve this is like Nate said, by adding additional ACS URLs to an
existing EntityDescriptor. This works and we and many others are using
this for hundreds and thousands of vhosts.

> i think you understand my scenario, here we going to provide the SP
> implementation based on the sub domains with unique IDP for each sub
> domain and also sessions and logout configuration may vary from each
> sub domain.

HTTP Cookies involved will only be scoped to a host (unless you change
that) and so every vhost will have seperate sessions (because the
subject's HTTP User Agent will not transfer cookies issued by to

Logout is a different matter altogether, see the SLOIssues topic
in the documentation.

Also note that if your IdP supports SLO (so you're /not/ using the
Shibboleth IdP, because it doesn't) you can't use the method Nate
mentioned, as you can only have one SLO endpoint for the
EntityDescriptor so this will only be one of the many vhosts you'd
have and therefore you're unable to trigger SLO on all those other
In that case you would have to create a seperate EntityDescriptor for
every single vhost, with corresponding overrides at the SP.

This is just fyi, and I doubt any of this wil help you at this stage
and phase of confusion,

More information about the users mailing list