Hello ComponentSpace,
There exists the potential that I may have to setup an IDP and multiple SPs underneath one IIS Website. I envision it looking something like this:
www.MyWebSite.com
www.MyWebSite.com/IdentityProvider
www.MyWebSite.com/ServiceProvider1
www.MyWebSite.com/ServiceProvider2
I beileve that I would have to make the IDP and SPs IIS applications underneath the root website. Do you know if SSO will still work with this setup?
Yes, that should be fine. We do something similar in some of our test environments.
Hello ComponentSpace,
Here’s what I’ve got set up on my dev environment.
IdentityProvider
Url: http://MyWebsite.com
SingleSignOnServiceUrl: http://MyWebsite.com/SAML/SSOService
SingleLogoutServiceUrl: http://MyWebsite.com/SAML/SLOService
ServiceProvider - Set up as an IIS Application underneath http://MyWebsite.com
Url: http://MyWebsite.com/ServiceProviderTest
AssertionConsumerServiceUrl: http://MyWebsite.com/ServiceProviderTest/SAML/AssertionConsumerService
SingleLogoutServiceUrl: http://MyWebsite.com/ServiceProviderTest/SAML/SLOService
The ServiceProviderTest IIS App is setup to use Forms Authentication.
However, when I navigate to http://MyWebsite.com/ServiceProviderTest, I receive the following error:
401- Unauthorized: Access is denied due to invalid credentials. You do not have permission to view this directory or page using the credentials that you supplied.
Is there anything further that I need to set up?
Could you please provide further details on how to set up an IIS application so that it can successfully access the IdP at the root of the website?
Can you browse to the identity provider and perform SSO to the service provider?
Is your service provider application configured to only permit authorized users access and for forms authentication?
You’ll see that the ExampleServiceProvider is configured for forms authentication and will redirect back to the login page if required.
Here’s the relevant section from the ExampleServiceProvider’s web.config.
Hello ComponentSpace,
Again, this is my configuration in my dev environment:
IdentityProvider
Url: http://MyWebsite.com
SingleSignOnServiceUrl: http://MyWebsite.com/SAML/SSOS…
SingleLogoutServiceUrl: http://MyWebsite.com/SAML/SLOS…
ServiceProvider - Set up as an IIS Application underneath http://MyWebsite.com
Url: http://MyWebsite.com/ServicePr…
AssertionConsumerServiceUrl: http://MyWebsite.com/ServicePr…
SingleLogoutServiceUrl: http://MyWebsite.com/ServicePr…
My quesiton is this: Because my ServiceProvider is set up as an IIS App underneath my IDP and within the same domain, do I need a Certificate that is different from the IDP Certificate?
I have assumed that I do need a seperate certficate, but wanted to double check with you.
Thanks,
Will
Hi Will
It’s always better to use separate certificates for the identity provider and service provider. If the identity provider and service provider are different organizations then separate certificate must be used as an organization’s private key should not be shared. If the identity provider and service provider are the same organization then you may use the same certificate as the private key is not being shared outside the organization.
If you have separate certificates then I would use separate certificates for the identity provider and service provider. If you only have a single certificate and given the identity provider and service provider are installed on the same server you could use the same certificate for both.