How to setup Shibboleth SP for a multi-tenant application

Michael O Holstein michael.holstein at
Fri Feb 9 08:04:36 EST 2018

you can transform outbound attributes however you want .. if the other party wants "UNICORN-TYPE" instead of AFFILIATION, just do a transform, and yes this is per sP (usually, but I supposed you could also do it globally) .. SAML inspector plugin (firefox) is very useful in debugging these, as is an alternate log4j.xml that turns it up to TRACE on all the stuff you want (warning that level will expose passwords in your log if done for particular ones, the comment as to which is right in the file).

Our ERP application sticks a letter in front of what one might call our "userID" based on other attributes located in LDAP, but it's trivial to do several rule-based transforms and a final one that tosses and error, or does a default action. We have places that want MAIL but unqualified (?) .. whatever. just give me the attribute name and so long as it doesn't have any illegal characters it it, it'll work just fine.

If the other guy speaks SAML, it'll work. Maybe not out of the box, but it'll work.

Ask for a price break on the integration though because doing silly stuff like that makes your job harder. Sane places give you a discount for being on InCommon (etc) because they know you already figured it out.

My $0.02

Michael Holstein CISSP

Cleveland State University

From: users <users-bounces at> on behalf of den at <den at>
Sent: Friday, February 9, 2018 4:32:45 AM
To: users at
Cc: j.takamatsu at
Subject: How to setup Shibboleth SP for a multi-tenant application

Hi gurus

I'm new to shibboleth and want to setup an SSO environment for testing SSO through SAML2 in a single SaaS application supporting multi tenants.

My SaaS application has ENTERPRISE_ID USER_ID and USER_PASS as needed parameters to login .

I now want to use Shibboleth-sp for supporting SAML2 based SSO , users of each ENTERPRISE_ID will have a corresponding IDP for authentication.

But my application has only one global URL, I want to know, whether I could add this SSO feature supporting multi tenant application (with only one server instance) by adding a virtual directory for each ENTERPRISE_ID in shibboleth2.xml, like the following:


<!-- To customize behavior, map hostnames and path components to applicationId and other settings. -->

    <RequestMapper type="Native">

        <RequestMap applicationId="default">

            <Host name="" authType="shibboleth" requireSession="true">

                <Path name="same-app_aliasA" applicationId="same-app_aliasA"/>

                <Path name="same-app_aliasB" applicationId="same-app_aliasB"/>

                <Path name="same-app_aliasC" applicationId="same-app_aliasC"/>






<ApplicationDefaults id="default" policyId="default"



        REMOTE_USER="eppn persistent-id targeted-id"



        <!-- Overrides for other-app -->

         <ApplicationOverride id="same-app_aliasA" entityID="">

             <Sessions lifetime="28800" timeout="3600" checkAddress="false"

                handlerURL="/aliasA/Shibboleth.sso" handlerSSL="false">


<ApplicationOverride id="same-app_aliasB" entityID="">

             <Sessions lifetime="28800" timeout="3600" checkAddress="false"

                handlerURL="/aliasB/Shibboleth.sso" handlerSSL="false">


<ApplicationOverride id="same-app_aliasC" entityID="">

             <Sessions lifetime="28800" timeout="3600" checkAddress="false"

                handlerURL="/aliasC/Shibboleth.sso" handlerSSL="false">





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list