Sub-domain per Entity

bmontgomery bmontgomery at
Tue Feb 26 11:39:27 EST 2013

I'm attempting to get the model I described above working. Here's what's

The user accesses a secured resource. The application redirects to the
Native Shib SP Login page, and uses the query string to specify the
"entityID", and sets "target" to the URL of the resource the user is
attempting to access ( Shib then
redirects to the IdP with the SAML request as expected.

I'm receiving this error from the IdP:

Relying party '' requested the response to
be returned to endpoint with ACS URL
''  and binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with
that URL and using a supported binding,  can be found in the relying party's

I can see that the metadata for the SP contains no endpoints beginning with, but that's by design - I only want one set of

It appears as if the AssertionConsumerServiceURL on the AuthnRequest is
based on the "target" query string parameter. Is that correct? I need the
AssertionConsumerServiceURL to always start with ""
regardless of where the user originated the request to the secured resource.

How can I make it so that the AssertionConsumerServiceURL always points to
the correct URL (, but the user is always redirected back
into the proper resource URL ( once authentication has
been negotiated?

I guess I can make a special "proxy" page which can do this for me, but I'd
rather not do that if some configuration allows me to do this with the Shib

View this message in context:
Sent from the Shibboleth - Users mailing list archive at

More information about the users mailing list