Shibboleth 3.x & Multiple Sites on IIS Server

Bhagwat, Shrikant shrbhagw at
Mon Feb 3 15:04:33 EST 2020


We looked in our case we don't need to use ApplicationOverride  element. Both sites site1 & site2 are very much similar.

I could not figure out how to add second site "site2.lan" in ApplicationDefault Element. Or is it not necessary.
I am the IDP Admin as well as SP admin.

Also how do I get them separate entityID for each site id I need .

-----Original Message-----
From: users <users-bounces at> On Behalf Of Peter Schober
Sent: Monday, February 3, 2020 2:16 PM
To: users at
Subject: Re: Shibboleth 3.x & Multiple Sites on IIS Server

External Email - Use Caution

* Bhagwat, Shrikant <shrbhagw at> [2020-02-03 20:02]:
> We have two Web Site on Single IIS Server running on Windows 2016 Server.
> [...]
> What do we in the element
> <ApplicationDefaults entityID="https://site1.lan /shibboleth"
>         REMOTE_USER="eppn subject-id pairwise-id persistent-id"
> cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3
> DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
> Or do we use ApplicationOverride  element for each site ?

If an IDP does not need to differentate between those applications/sites treat it as a single SP and keep a single entityID.

(Maybe pick an entityID value that's appropropriate for all sites hosted by that SP, e.g. based on the department or a purpose shared between those sites. If in doubt ask your IDP admin for guidance.)

If the sites hosted are vastly different (to the extent that the SAML IDP needs to care about) you can still give them separate entityIDs without having to use ApplicationOverrides. Only do this if the deploment really calls for it, of course.

If the existing documentation[1] doesn't clear up for you when (and when not!) to use ApplicationOverrides you'll need to ask concrete questions that go beyond what the documentation states.


For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues 

More information about the users mailing list