Shibboleth handler invoked at an unconfigured location

Peter Schober peter.schober at univie.ac.at
Tue May 17 09:40:16 EDT 2016 

* reda sabir <sabiretude at gmail.com> [2016-05-17 15:16]:
> - The project that I'm working for oblige me to write one SP for
> multiple websites with the fact that each website have it's own
> IdP. Why one SP was chosen?: The architect has chosen that because
> of SSO. Each IdP has a personalized login page for the website and
> we can not afford that someone see a login page of an other siteweb
> even if the user store is the same. BUT when we are login in a
> website, we are then authenticated in all websites (This is not a
> constraint of the solution but the behavior wanted).

I don't understand the details of login pages etc., but it seems you
do want to allow subjects having authenticated at ANY of the available
IDPs to access ALL web sites / vhosts.

If that's correct there's nothing special to do. Be sure to start from
scratch with a clean config (to undo all the
ApplicationOverride-related changes you did, none of which are
necessary).

Then add SAML Metadata to the SP containing all the SAML IDPs you want
to allow logins from.  (One per file quickly get's old, so depending
on the number of IDPs probably put them all into a single SAML 2.0
Metadata file wrapped in an EntitiesDescriptor element.)

Finally add the 'entityID' content setting (as per previous examples I
provided in the other thread you started, the one with the subject
"Configure one SP for multiple IDP") to each vhost, pre-selecting a
certain IDP for it.

> Now my knowledge let me think that we can not write all the previous
> behavior in the metadata.

There's nothing to write if you want to allow more than 1 IDP to
access a resource. That's the intended model with Shibboleth.

> please just develop your idea by taking some example of
> configuration (write some pseudo configuration).

I already did. The only thing slightly unusual is pre-selecting the
IDP based on content settings. The rest is adding metadata for every
IDP and probably access control rules as desired (e.g. to only allow
subjects that have certain attributes).
-peter

More information about the users mailing list