ComponentSpace

Forums



Multiple App with Same SSO Config - Redirect to particular app when user comes from IDP initiative


Multiple App with Same SSO Config - Redirect to particular app when...

Author
Message
akcatchme
akcatchme
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 45
I have multiple app with same SSO config. 
app1 =  one.exampleone.com
app2 = two.exampletwo.com

I have SSO config like
EntityId =   idsvr.example.com
ACS URL = idsvr.example.com?companyid="#####"

SP initiative scenario works fine -  If user type one.exampleone.com , it will redirect to client Identity provider , authenticate and redirect back to same app. same for second app.
but during IDP initiative , user come through https://Companyadmin-dev.onelogin.com/trust/saml2/http-redirect/sso/99999 and it has SAML response but don't know where to rediret.
i.e Once I get SAML Response, I wouldn't know which app user wants to go.

So I was thinking of adding AppId in ACS URL  like this idsvr.example.com?companyid="#####"&appid=app1

For SP initiative , I want to keep ACS URL = idsvr.example.com?companyid="#####" without appid 
but IDP initiative , I want client to add appid 

Right now , My LocalServiceProviderConfiguration has ACS url without AppID . So SP initiative works but IDP iniitiative gets Destinationcheck & Recipientcheck failed.
Usually , client setup ACS and Recipient with same URL.

I can disable both with
DisableDestinationCheck = true,
DisableRecipientCheck = true

but I don't want to disable it as it is not recommended.

Is there standard way to get APPID though SAML Response or other way in case of Multiple app with same SSO config ?
OR
Is there way to validate Destinationcheck & Recipientcheck for both ACS URL with AppID and without AppID ? like pattern matching.

Thank you.





ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.8K
Why not have separate SAML configurations for each of your service provider applications?
Each service provider has its own assertion consumer service URL.
If you wish to have the one SAML configuration that supports multiple applications, the best option might be to have the identity provider include the AppID as a SAML attribute.
This might be easier to achieve for the identity provider rather than adding a query string parameter.



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search