Joint SP configuration for two applications- attributePrefix conflict

[Klingenstein, Nate]

Alex,

Thanks a lot, I think I'm starting to get a more clear picture of what to do..

I think you are, too.

No. I would like them to look like one application to the IdP

>From what I have read, I would want to use one entityID.  I would consider that to be an advantage, not a drawback.  The two applications become your implementation detail and the IdP knows you as one application.

It's very hard to change this after you go to large-scale production, so make sure to think through all future use cases, too.  That might be a reason to avoid this, or a reason it's even better.

Yes, this seems to make the most sense.  I tried the approach with one entityID and it didn't work because of the attributePrefix conflict.  I then attempted the configuration with two entity IDs, which worked successfully, but created the problem described in my previous post.

Yep.  If you want to do this, you need to:

1)  Make the session cookie accessible to both applications
2)  Come up with a resolution for the attributePrefix situation.

I think what would make the most sense to me is setting multiple attributes in the SP from a single SAML attribute with attribute-map.xml.

I think that would make sense, too.  I don't have any strong feelings about the options I laid out for this.

If I can resolve the attributePrefix issue with attribute-map.xml mappings, and both my applications will be covered under one entityID, then will the user only need to authenticate through the IdP once to get access to both applications?

And you make the cookie in a sub-domain(or domain) that both can see, yes.

Thanks for all the deep thought,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20161124/1dc764ad/attachment.html>