Is Multi-Tenancy best option for handling domain name switch?


My client is switching domain names and for illustration purposes let’s say they are changing from to

At the moment SSO is initiated from the identity provider by submitting a request to

I was wondering whether Multi-Tenancy would allow me to support requests sent to either or so that users can switch over gradually.

<SAMLConfigurations xmlns="urn:componentspace:SAML:2.0:configuration"> 
  <SAMLConfiguration Name="tenant1"> 
    <ServiceProvider Name="SP1"/> 
      <PartnerIdentityProvider Name="IdP1"/> 
      <PartnerIdentityProvider Name="IdP2"/> 
  <SAMLConfiguration Name="tenant2"> 
    <ServiceProvider Name="SP2"/> 
      <PartnerIdentityProvider Name="IdP3"/> 
      <PartnerIdentityProvider Name="IdP4"/> 

When I tried this I got an error advising ‘One or more XML configuration schema errors occurred’.

In the above example, taken from the documentation each PartnerIdentityProvider has a unique Name however in my scenario both service providers would have the same list of PartnerIdentityProvider with the same names.

Would that be the problem?

Thanks in advance.

The simplest approach is to set the DisableDestinationCheck configuration flag to true. This disables the check of the destination field in the SAML response against the configured assertion consumer service URL. That way either or can be used. Once the domain name switch has completed, you can remove this flag.

Here’s an example of specifying the flag.

  Description="Example Identity Provider"
    <Certificate FileName="Certificates\idp.cer"/>

You could use a multi-tenancy configuration but this is a lot more involved and not recommended for this use case. However, if you did want to take this approach, you can use the ValidateConfig project under the Examples\Configuration folder to get more details regarding the syntax errors. Just run ValidateConfig from the command line and specify your saml.config file.

Many thanks for the response and the DisableDestinationCheck seems like a great option.

I just have one more question.

At the moment I have the below in my saml.config file

<ServiceProvider Name="" Description="Portal" AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx">
    <Certificate FileName="Certificates\abc.pfx" Password="Ci2mWaYbyXq"/>

And an example of a PartnerIdentityProvider would be

<PartnerIdentityProvider Name="" Description="123 Partner" SignAuthnRequest="true">
    <Certificate FileName="Certificates\123.cer"/>

In order to facilitate submissions posted to would I not need to include a reference to the xyz.pfx certificate file in the service provider?

Thanks in advance

The abc.pfx is only used to sign SAML authn requests or SAML logout messages, or to decrypt encrypted SAML assertions.

From your description, SAML SSO is initiated at the identity provider. Therefore, SAML authn requests aren’t sent and therefore won’t be signed.

The configuration doesn’t include SAML logout URLs so SAML logout messages aren’t sent and therefore won’t be signed.

I can’t tell from the configuration whether SAML assertions are encrypted although in most cases they aren’t. Assuming they aren’t, abc.pfx won’t be used.

You could safely remove the local certificate configuration as it isn’t in use.

Thanks. That’s worked a treat. Thanks for all your help.

You’re very welcome.