How to setup Shibboleth SP for a multi-tenant application

den at scsk.jp den at scsk.jp
Fri Feb 9 04:32:45 EST 2018 

Hi gurus
I'm new to shibboleth and want to setup an SSO environment for testing SSO through SAML2 in a single SaaS application supporting multi tenants.

My SaaS application has ENTERPRISE_ID USER_ID and USER_PASS as needed parameters to login .

I now want to use Shibboleth-sp for supporting SAML2 based SSO , users of each ENTERPRISE_ID will have a corresponding IDP for authentication.

But my application has only one global URL, I want to know, whether I could add this SSO feature supporting multi tenant application (with only one server instance) by adding a virtual directory for each ENTERPRISE_ID in shibboleth2.xml, like the following:

[...]

<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->
    <RequestMapper type="Native">
        <RequestMap applicationId="default">

            <Host name="service.university.org" authType="shibboleth" requireSession="true">
                <Path name="same-app_aliasA" applicationId="same-app_aliasA"/>
                <Path name="same-app_aliasB" applicationId="same-app_aliasB"/>
                <Path name="same-app_aliasC" applicationId="same-app_aliasC"/>
[...]
            </Host>

        </RequestMap>
    </RequestMapper>


[...]

<ApplicationDefaults id="default" policyId="default"
       entityID="https://service.university.org/shibboleth"
        homeURL="https://service.university.org/welcome/"
        REMOTE_USER="eppn persistent-id targeted-id"
        >

       [...]

        <!-- Overrides for other-app -->
         <ApplicationOverride id="same-app_aliasA" entityID="https://idp_A.university.org/shibboleth">
             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                handlerURL="/aliasA/Shibboleth.sso" handlerSSL="false">
        </ApplicationOverride>
<ApplicationOverride id="same-app_aliasB" entityID="https://idp_B.university.org/shibboleth">
             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                handlerURL="/aliasB/Shibboleth.sso" handlerSSL="false">
        </ApplicationOverride>
<ApplicationOverride id="same-app_aliasC" entityID="https://idp_C.university.org/shibboleth">
             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
                handlerURL="/aliasC/Shibboleth.sso" handlerSSL="false">
[...]
        </ApplicationOverride>
   </ApplicationDefaults>

[...]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180209/e9bee132/attachment.html>

More information about the users mailing list