vhosts with SP, single entity id
Greg Haverkamp
gahaverkamp at lbl.gov
Fri Mar 2 12:29:40 EST 2018
On Fri, Mar 2, 2018 at 9:13 AM, William Eubank <william.eubank at uah.edu>
wrote:
> I'm trying to figure out how to use the same SP entityID for a host and a
> vhost. I've been trying applicaitonoverrides and ACS rules,
> requestmapping, but haven't had success yet. Has anyone done this and if
> so would you be willing to share how?
>
> I'd like to avoid having to generate a new entity id for each vhost,
> update the sp metadata, then update the idp metadata. This is an internal
> server so I am less worried about security than usual, more about
> convenience.
>
You don't need a new entity ID, and if you don't care about overrides, you
don't need them. You'll need to add vhost ACS endpoints to your SP
metadata, however. The IdP metadata wouldn't change, but it will, of
course, need the updated SP metadata.
This is discussed here:
https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP#MetadataForSP-AssertionConsumerServices
If you take the example:
<md:AssertionConsumerService Location="
https://service.example.org/Shibboleth.sso/SAML2/POST"
<https://service.example.org/Shibboleth.sso/SAML2/POST> index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
if you had a service2.example.org, you'd just need a second ACS with
location:
<md:AssertionConsumerService Location="
https://service2.example.org/Shibboleth.sso/SAML2/POST"
<https://service.example.org/Shibboleth.sso/SAML2/POST> index="7"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180302/80dc0130/attachment.html>
More information about the users
mailing list