ShibbolethSP+ADFS and vhosts

[Cantor, Scott]

> One area that looked promising was the use of RelayState when calling the
> IDP initiated signon, but either it's not working correctly or I don't understand
> how it's supposed to work..  I've constructed the RelayState value with all the
> proper URLencoding, and regardless of which hostname is specified in the
> embedded RelayState URL to be handed back to the SP, it always redirects
> back to web1.  It's almost as if the RelayState passed back to ShibbolethSP is
> being ignored, or at least the hostname portion of the URL is being ignored.
> I've tried both ss:mem as well as cookie in the configuration without any joy.

You cannot pass such a value to the SP, those are values generated by the SP internally, there's no way you could possibly produce a working value. The SP is failing to locate the state and redirecting to homeURL or the root of the site.

If you want it to recognize a RelayState value it didn't create, only an absolute or relative URL can be put into it.

> Also, if we define 4 relying parties on the ADFS side, would I be able to run
> them under a single ShibbolethSP instance (i.e. Application), or would I have
> to spawn 4 independent SP's?  I think I remember reading one of the
> constructs being designed (or at least being ideal) for a multiple vhost
> implementation under a single SP.

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationModel

-- Scott