Multiple virtual hosts on SP 3

[Peter Schober]

* Richard Frovarp <richard.frovarp at ndsu.edu> [2019-05-21 23:43]:
> The generated metadata has both domains in the generated metadata,
> of course with the same single entityID.

I'm assuming that means you have one EntityDescriptor (hence only one
entityID) with multiple AssertionConsumerService elements? (One
AssertionConsumerService/@Location for each vhost?)

> In general, how does the IdP know where to send the user back to if
> there are multiple listed domains?

The SP creates a request message and the IDP answers with a response.

The ACS URL (where to send the SAML response) is part of the SAML
Authentication Request, you can easily see that in transit using the
SAMLtracer browser extension (available for Firefox and Chromium).

After the SP has recieved and processed the SAML response it will send
the browser on to the originally requested resource (captured in the
RelayState parameter on the previous access attempt, before auth
kicked in).

You'll want the vhost in all those steps to be the same, i.e., the
requested ACS URL should be on the same vhost as the requested
protected resource and the final redirect to the resource (referenced
by the RelayState) should also be to that same vhost.

I note you don't mention the web server implementation or vhost
configuration. Incorrect web server configuration can certainly mess
things up as the Shib SP relies on its correct configuration.

> From where I'm at, it looks like the best option for me is different
> entityIDs via the entityIDSelf param in HTTPD. That is certainly
> doable,

Unless you need the IDP to treat those resources differently
policy-wise (e.g. authn requirements or attribute release) there's no
reason to create multiple logical SPs for what's essentially only one
resource known by two hostnames.

If all of that is creating issues maybe considering to canonicalize
the vhosts to one hostname would also be an option.

-peter