Sub-domain per Entity
bmontgomery at teamdynamix.com
Tue Feb 26 11:39:27 EST 2013
I'm attempting to get the model I described above working. Here's what's
The user accesses a secured resource. The application redirects to the
Native Shib SP Login page, and uses the query string to specify the
"entityID", and sets "target" to the URL of the resource the user is
attempting to access (client1.example.com/SecuredResource). Shib then
redirects to the IdP with the SAML request as expected.
I'm receiving this error from the IdP:
Relying party 'https://www.example.com/shibboleth' requested the response to
be returned to endpoint with ACS URL
'http://client1.example.com/Shibboleth.sso/SAML2/POST' and binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with
that URL and using a supported binding, can be found in the relying party's
I can see that the metadata for the SP contains no endpoints beginning with
http://client1.example.com, but that's by design - I only want one set of
It appears as if the AssertionConsumerServiceURL on the AuthnRequest is
based on the "target" query string parameter. Is that correct? I need the
AssertionConsumerServiceURL to always start with "https://www.example.com"
regardless of where the user originated the request to the secured resource.
How can I make it so that the AssertionConsumerServiceURL always points to
the correct URL (www.example.com), but the user is always redirected back
into the proper resource URL (client1.example.com) once authentication has
I guess I can make a special "proxy" page which can do this for me, but I'd
rather not do that if some configuration allows me to do this with the Shib
View this message in context: http://shibboleth.1660669.n2.nabble.com/Sub-domain-per-Entity-tp7584793p7584825.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
More information about the users