multiple applications setup with existing IDP

Peter Schober peter.schober at
Wed May 22 18:27:01 EDT 2019

* irfan sarwar <isarwar3334 at> [2019-05-22 22:57]:
> when i added the 2nd application i made only 2 modifications:

An SP with multiple vhosts needs all endpoints in metdata (or your
signing requests and the IDPs add appropriate config), yes.
The fact that the protected resource it's a reverse proxy is
immeterial as SAML terminates on that one webserver.

> The issue i'm having is that after authentication existing IDPs are
> not able redirect me back to the sp3.  I'm sent back to the EDS page
> with the drop down.

Look at the requests and responses in the browser, e.g. using the
SAMLtracer extension. Where is the SAML response being sent to? That's
the immediate response after recieving the SAML response from the SP

> 1a. Why I can't use the existing IDPs to authenticate to multiple
> applications behind my SP (reverse proxy server)?
> 1b. Can it be done without using the ApplicationOverride element?

Ah, ApplicationOverride in place. Always suspicious.
Well, nothing you described so far would require overrides, so yes.

> 2.  I had left  <ds:KeyName></ds:KeyName> as still the
> same.  would it be best practice to re-generate the selfsigned key with and
> add as an Alt domain?

Shouldn't matter one bit. You can remove KeyName from metadata,
depending on the trust model you're using (which of course you don't
mention). If in doubt throw it out.


More information about the users mailing list