I have multiple app with same SSO config.
app1 = one.exampleone.com
app2 = two.exampletwo.com
I have SSO config like
EntityId = idsvr.example.com
ACS URL = idsvr.example.com?companyid=“#####”
SP initiative scenario works fine - If user type one.exampleone.com , it will redirect to client Identity provider , authenticate and redirect back to same app. same for second app.
but during IDP initiative , user come through https://Companyadmin-dev.onelogin.com/trust/saml2/http-redirect/sso/99999 and it has SAML response but don’t know where to rediret.
i.e Once I get SAML Response, I wouldn’t know which app user wants to go.
So I was thinking of adding AppId in ACS URL like this idsvr.example.com?companyid=“#####”&appid=app1
For SP initiative , I want to keep ACS URL = idsvr.example.com?companyid=“#####” without appid
but IDP initiative , I want client to add appid
Right now , My LocalServiceProviderConfiguration has ACS url without AppID . So SP initiative works but IDP iniitiative gets Destinationcheck & Recipientcheck failed.
Usually , client setup ACS and Recipient with same URL.
I can disable both with
DisableDestinationCheck = true,
DisableRecipientCheck = true
but I don’t want to disable it as it is not recommended.
Is there standard way to get APPID though SAML Response or other way in case of Multiple app with same SSO config ?
OR
Is there way to validate Destinationcheck & Recipientcheck for both ACS URL with AppID and without AppID ? like pattern matching.
Thank you.
Why not have separate SAML configurations for each of your service provider applications?
Each service provider has its own assertion consumer service URL.
If you wish to have the one SAML configuration that supports multiple applications, the best option might be to have the identity provider include the AppID as a SAML attribute.
This might be easier to achieve for the identity provider rather than adding a query string parameter.