How to setup Shibboleth SP for a multi-tenant application

Peter Schober peter.schober at
Fri Feb 9 07:41:26 EST 2018

* den at <den at> [2018-02-09 10:43]:
> But my application has only one global URL, I want to know, whether
> I could add this SSO feature supporting multi tenant application
> (with only one server instance)

"Only one global URL" is the recommened model and the Shib SP supports
it out of the box. Your service URL is your service URL, no matter
who is accessing it, that's federation.

Multi-tenency is something else: You virtually multiply the service
artifically in order to pretent that each tenent had its own

>  <Host name="" authType="shibboleth" requireSession="true">

That's not what you said above, though? Here you're creating separate
service access URL for each organisation (here
""). That's not recommended, despite its popularity in
SaaS offerings.
Or have you already fallen into the trap of deploying one
("physically") separate SP for each customer's instance of your
application? That arguably would be worse, IMO.

>          <ApplicationOverride id="same-app_aliasA" entityID="">

So Instead Of Posting Configuration snippets why not start with
describing what exactly it is you're trying to do?

You can do authorization per org (though using the org's entityID is
also a bad model, better to base authorization on the attributes sent,
i.e., ABAC) and you can initiate logins to different IDPs based on
vhost or path (and there are alternatives to that, too, by using IDP
discovery) -- all without the use of Overrides or cerating dozens of
virtual SPs.


More information about the users mailing list