Sub-domain per Entity

[bmontgomery]

I'm attempting to get the model I described above working. Here's what's
happening:

The user accesses a secured resource. The application redirects to the
Native Shib SP Login page, and uses the query string to specify the
"entityID", and sets "target" to the URL of the resource the user is
attempting to access (client1.example.com/SecuredResource). Shib then
redirects to the IdP with the SAML request as expected.

I'm receiving this error from the IdP:

Relying party 'https://www.example.com/shibboleth' requested the response to
be returned to endpoint with ACS URL
'http://client1.example.com/Shibboleth.sso/SAML2/POST'  and binding
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' however no endpoint, with
that URL and using a supported binding,  can be found in the relying party's
metadata 

I can see that the metadata for the SP contains no endpoints beginning with
http://client1.example.com, but that's by design - I only want one set of
endpoints.

It appears as if the AssertionConsumerServiceURL on the AuthnRequest is
based on the "target" query string parameter. Is that correct? I need the
AssertionConsumerServiceURL to always start with "https://www.example.com"
regardless of where the user originated the request to the secured resource.

How can I make it so that the AssertionConsumerServiceURL always points to
the correct URL (www.example.com), but the user is always redirected back
into the proper resource URL (client1.example.com) once authentication has
been negotiated?

I guess I can make a special "proxy" page which can do this for me, but I'd
rather not do that if some configuration allows me to do this with the Shib
SP OOTB.



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Sub-domain-per-Entity-tp7584793p7584825.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.