« Windows 7 and CYGWIN | Main | Sleep Probelm in... »

Shibboleth 2 SP and Multiple IdP's

Recently I was working on setting up a Shibboleth 2 SP that had multiple virtual hosts configured on it. Since nothing stays the same way for long, it ended up that we needed to point the Shibboleth SP at two different IdP's. I have easily done this in the past by setting up a individual SessionInitiator type for each IdP and then telling the SP where to go to by doing Lazy Initialization.

<SessionInitiator type="Chaining" Location="/Login-one" isDefault="true" id="Intranet"
        entityID="https://sso.one.com/idp">
    <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
    <SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>

<SessionInitiator type="Chaining" Location="/Login-two" isDefault="false" id="Intranet-beta"
        entityID="https://sso.two.com/idp">
    <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
    <SessionInitiator type="Shib1" defaultACSIndex="5"/>
</SessionInitiator>

Now that there are two Session Initiators you can authenticate to the first IdP by just going to the web page, since it is setup as default. You can also call /Shibboleth.sso/Login-one to call the first IdP. If you wanted to call the second idp you can all the /Shibboleth.sso/Login-two address.

This works great, if you have one site that needs to authenticate via multiple identity providers. But if you are running multiple sites on your Shibboleth SP and you want to choose which Identity Provider gets called, then you can do this by using the entityID attribute on the Host element in the shibboleth2.xml file as shown bellow.

<Host name="site.one.com" applicationId="app1" authType="shibboleth" requireSession="true"/>
<Host name="site.two.com" applicationId="app2" authType="shibboleth" requireSession="true" entityID="https://idp.two.com/idp"/>

Now we have setup the Host section to secure the domain site.one.com with the default session initiator of https://sso.one.com/idp. Since we wanted site.two.com to be directed to the second session initiator https://idp.two.com/idp we added the entityID attribute the the appropriate Host domain name. This will now make all authentications going to site.two.com be sent to the second IdP by default.

Posted on Oct 12, 2009 by Mike Jennings in Open Source | 0 Comments | Permalink



Post a Comment:
Comments are closed for this entry.