Multiple virtual hosts on SP 3

Richard Frovarp richard.frovarp at
Wed May 22 12:18:35 EDT 2019

On 5/21/19 5:22 PM, Peter Schober wrote:
> The SP creates a request message and the IDP answers with a response.
> The ACS URL (where to send the SAML response) is part of the SAML
> Authentication Request, you can easily see that in transit using the
> SAMLtracer browser extension (available for Firefox and Chromium).

Thanks for the info. Using that tool I can see that it is passing the 
correct ACS URL to CAS. However, CAS is not sending the response back to 
that URL. It appears to be using a different location from the metadata 
(the original vhost). There isn't a redirect back to there, it's a 
direct request. So something isn't right in the version of CAS I'm 
running for the IdP. At least now I know what I'm looking for and can 
better diagnose what is going on.

The vhost config looks good, and the SP picks up the different hosts I'm 
requesting through just fine. So it feels like an error on the IdP side, 
which isn't this project.

> Unless you need the IDP to treat those resources differently
> policy-wise (e.g. authn requirements or attribute release) there's no
> reason to create multiple logical SPs for what's essentially only one
> resource known by two hostnames.
> If all of that is creating issues maybe considering to canonicalize
> the vhosts to one hostname would also be an option.

That would break the application in this case. Setting up four different 
entityIDs and registrations in the IdP right now is the easiest thing to 

Thanks for the help,


More information about the users mailing list