Shibboleth SP on different domain than application

Cantor, Scott cantor.2 at
Tue May 20 07:37:01 EDT 2014

On 5/20/14, 11:11 AM, "Nils Andersson" <nils.andersson82 at> wrote:

>I'm looking on using Shibboleth as an SAML SP. Shibboleth would reside in
>one domain and the application in another. Shibboleth and the application
>will communicate over the internet. A goal in this is that the
>integration should be as easy as
> possible for the application.
>Any ideas on how to secure the communication between Shibboleth and the

Yes, you deploy a SSO protocol between them. That's the only way. They do
not communicate over the Internet alone. You cannot achieve this without
involving the client or you will not have a secure system, because that's
what SSO is, linking sessions between domains.

Basically, you are attempting to avoid installing the SP with the
application, but that is the entire basis of the SP's design. If you don't
like that design, you want a different solution that comes bundled with
its own SSO protocol behind the facade of the SAML layer (e.g., ADFS does
this with WS-Federation).

-- Scott

More information about the users mailing list