multiple applications setup with existing IDP

irfan sarwar isarwar3334 at
Wed May 22 16:56:59 EDT 2019

i have 2 applications on separate servers.
i have a reverse web proxy server in front of them with Shibboleth
installed on it. points to the first application points to the second application

i have EDS working as a discovery service for the 1st application.

when i added the 2nd application i made only 2 modifications:
I added the lines under <!--sp3--> to my sp-metadata.xml file

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="1"/>
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="" index="3"/>
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="" index="4"/>
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="5"/>
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="" index="7"/>
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="" index="8"/>

and added the name to the idpselect_config.js file's

The issue i'm having is that after authentication existing IDPs are not
able redirect me back to the sp3.  I'm sent back to the EDS page with the
drop down.

If i test with a new IDP (which has the explicit ACS ""  i'm able to log in to the
2nd site without issues.
(in order to test with new IDP i ofcourse had to add the idps-metadata so
shibboleth.xml is also modified at this point)

My questions are:

1a. Why I can't use the existing IDPs to authenticate to multiple
applications behind my SP (reverse proxy server)?
1b. Can it be done without using the ApplicationOverride element?
2.  I had left  <ds:KeyName></ds:KeyName> as still the
same.  would it be best practice to re-generate the selfsigned key with and
add as an Alt domain?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list