vhosts with SP, single entity id

Peter Schober peter.schober at univie.ac.at
Fri Mar 2 12:31:27 EST 2018


* William Eubank <william.eubank at uah.edu> [2018-03-02 18:13]:
> I'd like to avoid having to generate a new entity id for each vhost,
> update the sp metadata, then update the idp metadata.  This is an
> internal server so I am less worried about security than usual, more
> about convenience.

Personally I'd just add a line (ACS URL) to the metadata the IDP has
on record for each new vhost and reload that metadata at the IDP using
the command line tool. Takes all of 5 seconds and you're live.

FWIW, the SP's metagen script can also take a list of host names and
produce metadata for all of those, though that needs to be run at the
SP (since it will include the SP's public keys), whereas the ACS URL
addition only needs to happen at the IDP.

Alternatively, if also you control the IDP you may consider signing
the authn requests at the SP, and configuring the the IDP to forgo the
metadata ACS URL check for signed requests. The IDP will then send the
response to the location requested in the signed auth request.

-peter


More information about the users mailing list