multiple applications setup with existing IDP

irfan sarwar isarwar3334 at gmail.com
Wed May 22 16:56:59 EDT 2019 

Hi,
i have 2 applications on separate servers.
i have a reverse web proxy server in front of them with Shibboleth
installed on it.
sp1.mcftestsite.com points to the first application
sp3.mcftestsite.com points to the second application

i have EDS working as a discovery service for the 1st application.

when i added the 2nd application i made only 2 modifications:
I added the lines under <!--sp3--> to my sp-metadata.xml file

    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://sp1.mcftestsite.com/Shibboleth.sso/SAML2/POST" index="1"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://sp1.mcftestsite.com/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="
https://sp1.mcftestsite.com/Shibboleth.sso/SAML2/ECP" index="3"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="
https://sp1.mcftestsite.com/Shibboleth.sso/SAML/POST" index="4"/>
<!--sp3-->
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://sp3.mcftestsite.com/Shibboleth.sso/SAML2/POST" index="5"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://sp3.mcftestsite.com/Shibboleth.sso/SAML2/POST-SimpleSign"
index="6"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="
https://sp3.mcftestsite.com/Shibboleth.sso/SAML2/ECP" index="7"/>
    <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="
https://sp3.mcftestsite.com/Shibboleth.sso/SAML/POST" index="8"/>

and added the name sp3.mcftestsite.com to the idpselect_config.js file's
"this.returnWhiteList"


The issue i'm having is that after authentication existing IDPs are not
able redirect me back to the sp3.  I'm sent back to the EDS page with the
drop down.

If i test with a new IDP (which has the explicit ACS "
sp3.mcftestsite.com/Shibboleth.sso/SAML2/POST"  i'm able to log in to the
2nd site without issues.
(in order to test with new IDP i ofcourse had to add the idps-metadata so
shibboleth.xml is also modified at this point)

My questions are:

1a. Why I can't use the existing IDPs to authenticate to multiple
applications behind my SP (reverse proxy server)?
1b. Can it be done without using the ApplicationOverride element?
2.  I had left  <ds:KeyName>sp1.mcftestsite.com</ds:KeyName> as still the
same.  would it be best practice to re-generate the selfsigned key with and
add sp3.mcftestsite.com as an Alt domain?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190522/ae6fd725/attachment.html>

More information about the users mailing list