Multiple authentication with same IdP - multiple app - Shibboleth as SP

Peter Schober peter.schober at
Mon Nov 4 06:27:46 EST 2019

* uday.chandra.kumar <uday.chandra.kumar at> [2019-11-04 08:52]:
> In a SP initiated flow, I am getting authenticated by an IdP for logging
> into my application (say app1). Now, after successful login, I am loading
> page of another application (say app2) which also authenticates a user by
> the same IdP and then only lets user access it's pages/data etc. Now, I
> don't want to make my user enter his credentials again since the user has
> already been authenticated by IdP while logging into my parent application
> i.e. app1.

First of all, the subject shouldn't need to enter their credentials
again at the IDP due to SSO (unless their SSO session with the IDP has
meanwhile expired or you are requesting forced authentication at the
IDP or maybe the IDP doesn't offer SSO at all).

If app1 and app2 are on the same vhost and you're simple protecting
the whole vhost with the Shib SP then those two resources are the same
"application" as far as the SP is concerned and logging in to one will
also establish a valid session for any other protected resource on
that vhost.
So the behaviour you desire is already the default. Achieving the
opposite (separate sessions for different paths on the same vhost) is
actually much more involved.

If OTOH app1 and app2 are on different vhosts (or diffeerent servers
altogether) then the browser will not send HTTP cookies from prior
access to either of the two resources when accessing the other vhost,
so you'd have to be bounced back to the IDP and establish SP sessions
at each vhost separately.


More information about the users mailing list