ShibbolethSP+ADFS and vhosts

Gahring, David A gahringd at
Thu Feb 15 13:26:31 EST 2018


Thanks for the quick response.  At least now I know what I can stop trying to figure out..  lol

As for the multiple entityID's, you are correct (I think).  We have a single relying party defined on the ADFS side, and were hoping to be able to make that work since logically it's the same application since each of the vhosts defined on the Apache web server redirect to identical Tomcat servers running the same application code.  We will continue to look to Microsoft to answer the acsIndex question, which would solve our issue from the ADFS/IDPInitiatedSignon perspective if we can somehow direct ADFS to return to a specific assertion.

One area that looked promising was the use of RelayState when calling the IDP initiated signon, but either it's not working correctly or I don't understand how it's supposed to work..  I've constructed the RelayState value with all the proper URLencoding, and regardless of which hostname is specified in the embedded RelayState URL to be handed back to the SP, it always redirects back to web1.  It's almost as if the RelayState passed back to ShibbolethSP is being ignored, or at least the hostname portion of the URL is being ignored.  I've tried both ss:mem as well as cookie in the configuration without any joy.

Any insights as to whether RelayState is a possible solution for our scenario?

Also, if we define 4 relying parties on the ADFS side, would I be able to run them under a single ShibbolethSP instance (i.e. Application), or would I have to spawn 4 independent SP's?  I think I remember reading one of the constructs being designed (or at least being ideal) for a multiple vhost implementation under a single SP.

Thanks again!

David A. Gahring
Systems Consultant - IT Department
Palm Beach State College
4200 Congress Avenue
Lake Worth, FL 33461
Work: 561.868.3320
Cell: 904.742-5407
Email: gahringd at

On 2/15/18, 1:04 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

    There's no way in SAML to do username hinting, but that notwithstanding, all that stuff about vhosts implies you're trying to avoid defining an SP entityID uniquely for each vhost, and so you should do that (and in most cases you ought to do it anyway, this issue notwithstanding, since they're generally not the same service).

    Whether ADFS supports identifying the ACS endpoint at runtime in an IdP-initiated request I wouldn't know. Shibboleth does (that's the shire parameter).

    -- Scott

    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at


Please note: Due to Florida’s broad open records law, most written communication to or from College employees is public record, available to the public and the media upon request. Therefore, this e-mail communication may be subject to public disclosure.

More information about the users mailing list