Single SP for Multiple vhosts acting as a reverse proxy
This post was updated on .
We have an app that needs to be deployed multiple times for different clients(client1.newco.com, client2.newco.com...etc). We used to create multiple SPs/Partnerships with IDP for each client. We are at a point where this solution is not scalable anymore. Our IDP has asked us to implement a solution where a single partnership/SP can work with all instances of the application. IDP software is not Shibboleth.
To achieve this, we have setup an Apache server as a reverse proxy with multiple vhosts and <Location> blocks. Each vhost is defined with its applicationId because we might have to override session values in future. Apache also acts as a bridge to tomcat. IDP is configured with a single ACS.
We get into a loop with this configuration. SAML tracer in Firefox shows that shibboleth on app2 redirects the user to a login page. From there, assertion gets posted to the App1/default ACS. User is redirected back to App2 page -> login -> POST......................
Couple of questions...
1. Is it possible to achieve this objective of single SP and ACS with multiple vhosts?
2. If yes, what do I need to add in the override block to avoid this loop?