<!DOCTYPE HTML><html>
<head>
<meta name="Generator" content="Amazon WorkMail v3.0-4506">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>RE: Single Service Provider with Multiple IDP's</title>
</head>
<body>
<p style="margin: 0px; font-family: Arial, Tahoma, Helvetica, sans-serif; font-size: small;">Julio,</p><p style="margin: 0px; font-family: Arial, Tahoma, Helvetica, sans-serif; font-size: small;"> </p><p style="margin: 0px; font-family: Arial, Tahoma, Helvetica, sans-serif; font-size: small;">You'll first need to upgrade.  2.6 is really unsupported at this point and has a range of vulnerabilities.</p><p style="margin: 0px; font-family: Arial, Tahoma, Helvetica, sans-serif; font-size: small;"> </p><p style="margin: 0px; font-family: Arial, Tahoma, Helvetica, sans-serif; font-size: small;">Second, you need a mapping from the Site ID in IIS to the hostname in Shibboleth.  You have one for st, but not for wt.</p><p style="margin: 0px; font-family: Arial, Tahoma, Helvetica, sans-serif; font-size: small;"> </p><p style="margin: 0px; font-family: Arial, Tahoma, Helvetica, sans-serif; font-size: small;">            <Site id="1" name="st.website.com"/></p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">            <Site id="1518374912" name="wt.website.com"/></p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">Third, you'll need to explicitly protect that location using the RequestMap.</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"><a href="https://wiki.shibboleth.net/confluence/display/SP3/RequestMap">https://wiki.shibboleth.net/confluence/display/SP3/RequestMap</a></p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">You might have done that but omitted it from your email.</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">You shouldn't hardcode one of the IdP names in your shibboleth2.xml file.  Instead, have no entityID attribute and pass it in on the query string:</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">https://wt.website.com/Shibboleth.sso/Login?entityID=https://wt.website.com/shibboleth</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">https://st.website.com/Shibboleth.sso/Login?entityID=https://st.website.com/shibboleth</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">It might work after those changes are made, but there's a good chance you'll hit another unexpected issue.  ApplicationOverrides are hard, especially on IIS.</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">Take care,</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">Nate.</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px">--------</p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"><img src="https://www.signet.id/wp-content/uploads/2019/08/signature-e1566142203123.png" /></p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"><font size="4">The Art of Access</font> <strong>®</strong></p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"><font size="2"><strong>Nate Klingenstein</strong> | Principal</font></p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"><font size="2"><a href="https://www.signet.id/">https://www.signet.id/</a> </font></p><p style="font-family:Arial,Tahoma,Helvetica,sans-serif; font-size:small; margin:0px"> </p><blockquote style="border-left:2px solid #b0b0b7; margin-left:5px; margin-right:0px; padding-left:5px">-----Original message-----<br /><strong>From:</strong> Julio Lopez<br /><strong>Sent:</strong> Tuesday, October 1 2019, 4:47 pm<br /><strong>To:</strong> users@shibboleth.net<br /><strong>Subject:</strong> Single Service Provider with Multiple IDP's<br /><br /><!-- begin sanitized html --><style type="text/css">P {margin-top:0;margin-bottom:0;}</style><div class="bodyclass"><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Hello everyone, first time post here and I hope it makes sense.</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">We run Shibboleth SP 2.6.</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">We have an application that runs on a windows iis webserver (7)</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">The application is hosted on a single website in IIS but responds to multiple DNS names. All DNS names point to the same external IP</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><a id="LPlnk724950" title="This external link opens in a new window" href="https://st.website.com">https://st.website.com</a> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><a id="LPlnk417967" title="This external link opens in a new window" href="https://wt.wbsite.com">https://wt.website.com</a></div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Shibboleth2.xml contains the follwing</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span>    <InProcess logger="native.logger"></span><div>        <ISAPI normalizeRequest="true" safeHeaderNames="true"></div><div>            <Site id="1" name="st.website.com"/></div><div>        </ISAPI></div> <span>    </InProcess></span></div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><a id="LPlnk484941" title="This external link opens in a new window" href="https://st.website.com">https://st.website.com</a> is configured (and working with Okta IDP) for Company A. Staff can login via SSO.</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><a id="LPlnk119377" title="This external link opens in a new window" href="https://wt.website.com">https://wt.website.com</a> is configured in the shibboleth2.xml (not working with Okta IDP) for Company B a completely separate IDP instance. </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">The following is what I have listed for both sites in the Shibboleth2.xml</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"><span>https://st.website.com/SSOLogin"></span><div>                        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false"></div><div>                          <SSO entityID="http://www.okta.com/UNIQUEIDforCorpA"></div><div>                                  SAML2 SAML1</div><div>                          </SSO></div><div>                        </Sessions></div><div> <!-- If you can provide a URL to your metadata file, use the line below: --></div><div> <MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\st.website.com-idpMetadata.xml" /></div><div>     <AttributeExtractor type="XML" validate="true" path="attribute-map-stwebsite.xml"/></div><div>                        <CredentialResolver type="File" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/></div><div> </ApplicationOverride></div><div> <ApplicationOverride id="wt.website.com" entityID="https://wt.website.com/shibboleth" REMOTE_USER="eppn" homeURL="https://wt.website.com/SSOLogin"></div><div>                        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false"></div><div>                          <SSO entityID="http://www.okta.com/<span style="background-color:#ffffff; font-family:Calibri,Helvetica,sans-serif">UNIQUEIDforCorpB</span>"></div><div>                                  SAML2 SAML1</div><div>                          </SSO></div><div>                        </Sessions></div><div> <!-- If you can provide a URL to your metadata file, use the line below: --></div><div> <MetadataProvider type="XML" file="C:\opt\shibboleth-sp\etc\shibboleth\wt.website.com-idpMetadata.xml" /></div><div>     <AttributeExtractor type="XML" validate="true" path="attribute-map-wtwebsite.xml"/></div><div>                        <CredentialResolver type="File" key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/></div><div> </ApplicationOverride></div> <span></ApplicationDefaults></span></div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">When someone from Corp B goes to the wt.website.com/SSOLogin, they're redirected to Corp A's Okta instance and not to Corp B's Okta instance.</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">I'm stuck and would appreciate some help as we will be bringing on more companies in the near future. </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">Thank you!</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt">-Julio</div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div><div style="color:#000000; font-family:Calibri,Helvetica,sans-serif; font-size:12pt"> </div></div><pre>-- 

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net</pre> <!-- end sanitized html --></blockquote>
</body>
</html>