Sending different entityIDs to same relying party - Office 365 requirement

Christopher Bongaarts cab at
Fri Feb 1 15:34:57 EST 2013

On 1/31/2013 11:38 AM, Matheesha Weerasinghe wrote:
> In Office 365 if the customer can choose to register a bunch of DNS
> domains they own with UPNs in the format of john at
> <mailto:john at> . They can then configure O365 such that it
> knows the SAML endpoint for each domain (e.g.
> <>, <>). When a user
> attempts to access O365, they will be redirected to Shibboleth which
> will issue a token which O365 will in turn consume and accordingly
> allow/deny access to the service.
> In configuring the EntityID for each of these domains, there is a
> requirement to ensure each one is unique. This presents a problem if the
> customer has several domains but wants to use one Shibboleth
> implementation to handle the authentication for all of them. AFAIK, you
> can only define one relying party in the XML. This means Shibboleth will
> always send the same relying party regardless of the user it issued the
> token for.

I don't know about O365, but for Google Apps, each "domain" on the 
google side has its own entity ID (i.e. each is effectively a separate 

The Shibboleth IdP is able to use a different entity ID for itself 
depending on the calling SP/RP (you just set up multiple RelyingParty 
entries in relying-party.xml).

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list