How to setup Shibboleth SP for a multi-tenant application

Peter Schober peter.schober at
Tue Feb 13 06:58:42 EST 2018

* 田 登 <den at> [2018-02-13 11:14]:
> I simply want to use one single SP (here Shibboleth) instance, and
> the Shibboleth sp need be configured to serve more than one
> orgnization using different idps.

That's not nearly sufficiently detailed to give you configuration
The recommended way to use the software and to integrate several IDPs
is having everyone access the exact same URL and letting the subject
pick their IDP for authentication.

> It seems you recommend that vhost or path be used for this purpose,

Literally the opposite.

> since my SaaS application only has one global URL serving all the
> members across different orgnizations, I would like to have a try
> with virtual directories (pointing to the same physical location).

If you only have "one global URL" then that's what everyone accesses.
No vhosts or paths. You're done, basically.

> My service need be online 24x7, I cannot afford to restart my services,
> so I considered using the Overrides settings of Shibboleth, because
> settings file of Shibboleth will be reloaded automatically once its
> timestamp is changed. Is this reasonable ?

No. Chosing between differnt kinds of integration or access modes
cannot sensibly be done solely based on what software's config files
reload automatically. (Apache httpd also has graceful reload that does
not termine processes with active connections, jfyi.)

Instead you'd run a test instance of your service and test all config
changes beforehand. Then you'd reload the production environment based
on tested config changes (or replace prod with a modified version, if
you're into that whole "catte, not pets" thing).  If that is seen as
disruptive then you'll need to deploy more than one service and make
it highly available. Nothing to do with the Shib SP, though, IMO.


More information about the users mailing list