wild card relying party

Peter Schober peter.schober at univie.ac.at
Wed May 15 06:31:31 EDT 2019

* Lalith Jayaweera <ljayaweera at gmail.com> [2019-05-15 06:36]:
> We have a request to configure a SP in our IdP, but the SP url
> (relying party) sub context can change after a certain level,

What is an "SP url sub context"? The SP's entityID?

> can you we configure a IdP to cater for such an wild card type
> relying party.? wild card pattern applies after a subcontext.

As part of what configuration? The attribute filter can make use of
Regular Expressions to release attributes to SPs whose entityID match
some regex.

entityIDs are literal strings (of XSD type "anyURI") so you cannot
create SAML 2.0 Metadata and expect the IDP to treat their entityID
values as regular expressions.
So either you have metadata available for all those SPs or you don't.
If you cannot create metadata (not even programmatically?) then you
can configure the IDP to also interop with SPs it does not have
metadata about (anonymous relying party support). The documentation
should cover that.

Depending on the actual use-case (not the technology you decided you
want to use to solve an unstated problem) none of that may be
E.g. for mass-vhosting signed authn requests would allow a single
EntityDescriptor to work with ACS URLs (one for each vhost) that are
not pre-configured into that SP's metadata at the IDP.
Another, even simpler, method is listing all those ACS URLs (==
vhosts) within a single EntityDescriptor.


More information about the users mailing list