Sub-domain per Entity

bmontgomery bmontgomery at
Mon Feb 25 12:15:34 EST 2013

I've got the Native SP IIS software running. The way it is currently set up
is as follows. Each tenant gets their own sub-domain so that we can identify
the tenant without having to ask the user (e.g.,,, We redirect the user to the Shib
login page with an entityID query string set to the correct entity ID (based
on the sub-domain). This URL is the client-specific sub-domain, so it looks
something like "". Authentication is
negotiated, and then the user is redirected back into our application at the
proper sub-domain (""). 

The problem with this is that we have to configure a new set of SP URL's
every time we want to enable single sign on for a tenant. This is because
when the SAML request is sent by Shib to the IdP, the ACS URL is set to a
URL with the specific sub-domain (e.g. I'd like to
make it so that there is one SP which is used for everyone for
authentication (, but then the users are still redirected
back into our application with the correct sub-domain. 

I think the lynch pin of all of this is the Shib auth cookie which is scoped
to the specific sub-domain. If I can configure Shib SP to set a high-level
cookie ( instead of a sub-domain level cookie
(, then I should be able to redirect the user to with the correct entityID and the
target param set to the client-specific URL (, then
the ACS URL will be set to the URL starting with "" This
gets all users using the same SP for authentication, and allows the Shib
cookie to be used across all of the sub-domains, so they can be redirected
back to their specific URL ( and Shib will detect their
auth token based on the cookie and the integration should work. 

Is this is an approach which will work? 

View this message in context:
Sent from the Shibboleth - Users mailing list archive at

More information about the users mailing list