I am running a shibboleth SP which uses a set of federated IDPs (incommon). Up until now everything has been working well, however, there is now an interest of adding a domain to our system (a different virtual host in apache). This domain will also need to be authenticated with our shibboleth SP.
My question is, is there a way to add a new domain but authenticated against the same preexisting entity ID? We can setup multiple entities of course but it sounds simpler to go with one, since that entity still represents the org behind the new domain.
Let me know if you’d like more details about our configuration. Thanks all!
From my local shib person: Information can be found at https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065334314/ApplicationModel and https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2063696335/ApplicationOverride. It’s worth reading both of these to determine whether you need an “ApplicationOverride” for your particular use case (e.g., if you need to assert different attributes for different vhosts on your Apache server instance). If you just want all the vhosts to be one single SP application, and share the same SP session, then simply having a <VirtualHost> block in your apache config, with multiple ServerAlias directives should be all that is needed. The Shib SP will dynamically construct the ACS URL (the endpoint that the Shib IdP redirects the user back to, with the SAML response, following authentication) in the SAML AuthnRequest – as long as all of those ACS URL values are registered in the SP metadata that the IdP has, it should work great.
Sorry for the late reply, just coming back to this. Thank you for this very helpful info! Unfortunately, this is still not working for me. I get a “Web Login Service - Unable to Respond” message when I try to authenticate on any of the configured ACS URLs. I confirmed that the authn request is setting the ACS url correctly, and confirmed that the SP and IDP have up-to-date metadata, so I’m not sure what’s going on. Any insight on where I can track down the issue?