Single Service Provider with Multiple IDP's

Julio Lopez julz at outlook.com
Tue Oct 1 18:47:06 EDT 2019 

Hello everyone, first time post here and I hope it makes sense.

We run Shibboleth SP 2.6.

We have an application that runs on a windows iis webserver (7)

The application is hosted on a single website in IIS but responds to multiple DNS names. All DNS names point to the same external IP

https://st.website.com
https://wt.website.com<https://wt.wbsite.com>



Shibboleth2.xml contains the follwing

    <InProcess logger="native.logger">
        <ISAPI normalizeRequest="true" safeHeaderNames="true">
            <Site id="1" name="st.website.com"/>
        </ISAPI>
    </InProcess>
https://st.website.com is configured (and working with Okta IDP) for Company A. Staff can login via SSO.

https://wt.website.com is configured in the shibboleth2.xml (not working with Okta IDP) for Company B a completely separate IDP instance.

The following is what I have listed for both sites in the Shibboleth2.xml

https://st.website.com/SSOLogin">
                        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false">
                          <SSO entityID="http://www.okta.com/UNIQUEIDforCorpA">
                                  SAML2 SAML1
                          </SSO>
                        </Sessions>
 <!-- If you can provide a URL to your metadata file, use the line below: -->
 <MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\st.website.com-idpMetadata.xml" />
     <AttributeExtractor type="XML" validate="true" path="attribute-map-stwebsite.xml"/>
                        <CredentialResolver type="File" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
 </ApplicationOverride>
 <ApplicationOverride id="wt.website.com" entityID="https://wt.website.com/shibboleth" REMOTE_USER="eppn" homeURL="https://wt.website.com/SSOLogin">
                        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false">
                          <SSO entityID="http://www.okta.com/UNIQUEIDforCorpB">
                                  SAML2 SAML1
                          </SSO>
                        </Sessions>
 <!-- If you can provide a URL to your metadata file, use the line below: -->
 <MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\wt.website.com-idpMetadata.xml" />
     <AttributeExtractor type="XML" validate="true" path="attribute-map-wtwebsite.xml"/>
                        <CredentialResolver type="File" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
 </ApplicationOverride>
</ApplicationDefaults>


When someone from Corp B goes to the wt.website.com/SSOLogin, they're redirected to Corp A's Okta instance and not to Corp B's Okta instance.

I'm stuck and would appreciate some help as we will be bringing on more companies in the near future.

Thank you!
-Julio


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191001/26486831/attachment.html>

More information about the users mailing list