shibboleth2.xml configuration for www and non-www requests to same host (IIS)

[Cantor, Scott]

> We're having a problem in which the following request is authenticated, but
> after successful login, is incorrectly redirected to https://www.example.com:

I can't make sense of what specific sequence you're asking about, and the use of HTML email (which I do not read) is a good way to really screw things up with all the embedded links. So I'm not really getting it.

That said...

> Do you have any suggestions?  Redirect rules configured in the redirect
> module seem to happen after any shibboleth authentication, so that doesn't
> seem to be a fix/problem.

I am aware of that particular issue, it's why the SP includes a hook to do port redirects, you can add redirectToSSL="443" in the RequestMap and it will do the redirects before any other processing of a request. That's the way to force user requests for an http vhost to get switched over and avoid the need for SAML endpoints on http.

I don't know if that's the problem or a fix but just in case.

Hostname issues have *nothing* to do with the SP. You determine all that, it has nothing to do with this software. That's why you have to map site IDs in IIS into the appropriate hostnames you want to support if you're going to assign settings based on them. All the software knows is what the client tells it the name is, so the software routes through the site ID to determine if that name is "appropriate" for the request.

If the question is how to allow for multiple hostnames on a site ID at once, there's an <Alias> element for that.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPISAPI

You must of course have rules in the RequestMap for all possible hostnames you want to support.

-- Scott