SAML - Use the same authenticator for multiple SAML service providers

This document describes how to configure the system to handle multiple service providers in one SAML authentication scenario.

Prerequisites

  • SAML Authentication scenario (any authentication method) configured.

SP vs IDP-initiated flows

For SP-initiated flows, no action is required. The AssertionProvider valve sourceID parameter will be ignored in a SP-initiated flow.

This solution document will explain how to make this work in a IDP-initiated flow.

Edit execution flow

1. Logon to Configuration manager

2. Open Scenarios and click the scenario to be edited

3. Click Execution flow

4. Click on the execution flow which contains the AssertionProvider valve

5. Edit the AssertionProvider valve. Change sourceID value to {{request.spentityid}}

 

 

6. Click Save.

IDP-initiated URL

A query string parameter called "spentityid" must be added to the idp-initiated trigger URL (which is the POST SSO URL) to make this work.

https://<phenixid_server>/saml/authenticate/<authenticator_alias>?spentityid=<entity_id_of_sp>

Example:

https://ubuntu.phx.local:8443/saml/authenticate/unpwmultiplesps?spentityid=https://sp.testshib.org/shibboleth-sp