SSO Implementation

Raz's gajula.rajashekhar at
Thu Nov 1 13:56:59 EDT 2012

Thanks you very much Peter and Nate.....:), finally working our scenario
but i need to observe it properly.....

Right now vhosts i.e. and are going to
IDP but once i logon to either one of it i.e. dev or test then both secure
apps are showing, may be IDP(testshib) is common for both vhosts.
Practically, when ever accessing vhosts 1st time it has to go to IDP then
looks for the authentication then only secure should be shown up on the
screen for this i used forceAuthn @ host element but it's giving the error
message in the following scenario

1st i accessed using the user1 credentials it's allowed
the secured app and working fine but when i tried to access then its waiting for the credentials but now i want to
provide user2 credentials then it showing error message like

The system encountered an error at Thu Nov 01 13:50:54 2012
To report this problem, please contact the site administrator at
root at localhost.
Please include the following message in any email:
opensaml::FatalProfileException at (
SAML response contained an error.
Error from identity provider:

Status: urn:oasis:names:tc:SAML:2.0:status:Responder
Sub-Status: urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

But its not showing errors when i use user1 in twice.

Please guide me on this with your values suggestions.

- Raja

On Thu, Nov 1, 2012 at 3:59 PM, Peter Schober <peter.schober at>wrote:

> * Raz's <gajula.rajashekhar at> [2012-11-01 10:20]:
> > No progress after modification of the metadata as per your specification
> > and also when i'm trying to access the ** then *
> >* is showing @ ** idp logon page after
> > successful authencation same error message am getting and also sessions
> are
> > created for ** not for the * *on *
> >*.
> I don't understand any of that. Adding the other vhosts to ACS URLs
> works and is sufficient for what you asked for.
> The IdP will check any ACS URLs from the SP's authentication request
> against metadata. so each and every vhost you want your SP to be
> "active" needs to be presented in metadata. The simplest way to
> achieve this is like Nate said, by adding additional ACS URLs to an
> existing EntityDescriptor. This works and we and many others are using
> this for hundreds and thousands of vhosts.
> > i think you understand my scenario, here we going to provide the SP
> > implementation based on the sub domains with unique IDP for each sub
> > domain and also sessions and logout configuration may vary from each
> > sub domain.
> HTTP Cookies involved will only be scoped to a host (unless you change
> that) and so every vhost will have seperate sessions (because the
> subject's HTTP User Agent will not transfer cookies issued by
> to
> Logout is a different matter altogether, see the SLOIssues topic
> in the documentation.
> Also note that if your IdP supports SLO (so you're /not/ using the
> Shibboleth IdP, because it doesn't) you can't use the method Nate
> mentioned, as you can only have one SLO endpoint for the
> EntityDescriptor so this will only be one of the many vhosts you'd
> have and therefore you're unable to trigger SLO on all those other
> vhosts.
> In that case you would have to create a seperate EntityDescriptor for
> every single vhost, with corresponding overrides at the SP.
> This is just fyi, and I doubt any of this wil help you at this stage
> and phase of confusion,
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list