ShibbolethSP+ADFS and vhosts

Cantor, Scott cantor.2 at
Thu Feb 15 15:32:58 EST 2018

> One area that looked promising was the use of RelayState when calling the
> IDP initiated signon, but either it's not working correctly or I don't understand
> how it's supposed to work..  I've constructed the RelayState value with all the
> proper URLencoding, and regardless of which hostname is specified in the
> embedded RelayState URL to be handed back to the SP, it always redirects
> back to web1.  It's almost as if the RelayState passed back to ShibbolethSP is
> being ignored, or at least the hostname portion of the URL is being ignored.
> I've tried both ss:mem as well as cookie in the configuration without any joy.

You cannot pass such a value to the SP, those are values generated by the SP internally, there's no way you could possibly produce a working value. The SP is failing to locate the state and redirecting to homeURL or the root of the site.

If you want it to recognize a RelayState value it didn't create, only an absolute or relative URL can be put into it.

> Also, if we define 4 relying parties on the ADFS side, would I be able to run
> them under a single ShibbolethSP instance (i.e. Application), or would I have
> to spawn 4 independent SP's?  I think I remember reading one of the
> constructs being designed (or at least being ideal) for a multiple vhost
> implementation under a single SP.

-- Scott

More information about the users mailing list