Single Service Provider with Multiple IDP's
Nate Klingenstein
ndk at signet.id
Tue Oct 1 19:56:06 EDT 2019
Julio,
You'll first need to upgrade. 2.6 is really unsupported at this point and has a range of vulnerabilities.
Second, you need a mapping from the Site ID in IIS to the hostname in Shibboleth. You have one for st, but not for wt.
<Site id="1" name="st.website.com"/>
<Site id="1518374912" name="wt.website.com"/>
Third, you'll need to explicitly protect that location using the RequestMap.
https://wiki.shibboleth.net/confluence/display/SP3/RequestMap
You might have done that but omitted it from your email.
You shouldn't hardcode one of the IdP names in your shibboleth2.xml file. Instead, have no entityID attribute and pass it in on the query string:
https://wt.website.com/Shibboleth.sso/Login?entityID=https://wt.website.com/shibboleth
https://st.website.com/Shibboleth.sso/Login?entityID=https://st.website.com/shibboleth
It might work after those changes are made, but there's a good chance you'll hit another unexpected issue. ApplicationOverrides are hard, especially on IIS.
Take care,
Nate.
--------
The Art of Access ®
Nate Klingenstein | Principal
https://www.signet.id/
-----Original message-----
From: Julio Lopez
Sent: Tuesday, October 1 2019, 4:47 pm
To: users at shibboleth.net
Subject: Single Service Provider with Multiple IDP's
Hello everyone, first time post here and I hope it makes sense.
We run Shibboleth SP 2.6.
We have an application that runs on a windows iis webserver (7)
The application is hosted on a single website in IIS but responds to multiple DNS names. All DNS names point to the same external IP
https://st.website.com
https://wt.website.com
Shibboleth2.xml contains the follwing
<InProcess logger="native.logger">
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="1" name="st.website.com"/>
</ISAPI>
</InProcess>
https://st.website.com is configured (and working with Okta IDP) for Company A. Staff can login via SSO.
https://wt.website.com is configured in the shibboleth2.xml (not working with Okta IDP) for Company B a completely separate IDP instance.
The following is what I have listed for both sites in the Shibboleth2.xml
https://st.website.com/SSOLogin">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false">
<SSO entityID="http://www.okta.com/UNIQUEIDforCorpA">
SAML2 SAML1
</SSO>
</Sessions>
<!-- If you can provide a URL to your metadata file, use the line below: -->
<MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\st.website.com-idpMetadata.xml" />
<AttributeExtractor type="XML" validate="true" path="attribute-map-stwebsite.xml"/>
<CredentialResolver type="File" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
</ApplicationOverride>
<ApplicationOverride id="wt.website.com" entityID="https://wt.website.com/shibboleth" REMOTE_USER="eppn" homeURL="https://wt.website.com/SSOLogin">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false">
<SSO entityID="http://www.okta.com/UNIQUEIDforCorpB">
SAML2 SAML1
</SSO>
</Sessions>
<!-- If you can provide a URL to your metadata file, use the line below: -->
<MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\wt.website.com-idpMetadata.xml" />
<AttributeExtractor type="XML" validate="true" path="attribute-map-wtwebsite.xml"/>
<CredentialResolver type="File" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
</ApplicationOverride>
</ApplicationDefaults>
When someone from Corp B goes to the wt.website.com/SSOLogin, they're redirected to Corp A's Okta instance and not to Corp B's Okta instance.
I'm stuck and would appreciate some help as we will be bringing on more companies in the near future.
Thank you!
-Julio
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191001/cb7f7a2b/attachment.html>
More information about the users
mailing list