I recently had to setup another environment for a website I completed.  This website would in turn be my staging site for testing.  The production website which was staging until we went live uses Shibboleth and connects to an IDP.  The staging site however needed to also replicate this, therefore I needed to configure a second Service Provider.  This process took some time and help from Google and the guys who ran the IDP.  I will go through some steps on how I achieved two service providers on one server.

1. IIS Settings

If this is a new website in IIS, you may not have the correct setting in IIS.  After installing your first SP (Service Provider), all websites should contain these settings, but if you are adding a new one you should duplicate these for your new website from an existing one that is configured to use Shibboleth, or can use Shibboleth.

Handler Mapping

First thing is to make sure you create a handler under Hander Mappings.  Select the website in IIS and your Dashboard Home should appear. Click on the icon labeled Handler Mappings.

Second, click "Add Script Map…”, under the Actions panel usually to your right, for the Add Script Map window.

Third, type in the Request Path which is *.sso, the Executable, during installation the location was place at C:\opt\shibboleth-sp\lib\shibboleth\isapi_shib.dll, and last the name of the handler called Shibboleth.  Click OK.

The Shibboleth handler has now been added, and can see the result below under the Handler Mappings listing.

ISAPI Filter

The last addition to in IIS it under the ISAPI Filters section under Dashboard Home, but clicking the ISAPI Filters icons.

Second, click "Add…”, under the Actions panel usually to your right, for the Add ISAPI Filter window.

Third, type in the Filter name which is called Shibboleth, and last the Executable which is the same location as the Handler Mapping above. Click OK.

The Shibboleth ISAPI Filter has now been added, and can see the result below under the ISAPI Filters listing.

2. Generate Certificate/Private Key

The second part is to generate a new certificate/private key pair.  The certificate will be given to the IDP to register your SP.  To generate a new pair head to the Shibboleth folder, and find the kengen.bat file.  This uses opensll to generate a certificate and private key.  These will be used by both the IDP and SP to validate the requests that come through.  Make sure not to override your existing certificate and private key for the first site you configured.  The files are usually sp-cert.pem  and sp-key.pem by default.  Once generated this certificate and private key will be used in the next step.

3. Update Shibboleth Configuration File

The next step is to update the configuration file for your new service provider.  Location the directory where shibboleth2.xml  is located.  This configuration file was located at C:\opt\shibboleth-sp\etc\shibboleth\.

Once opened locate the ISAPI node that contains your site nodes.

<ISAPI normalizeRequest="true" safeHeaderNames="true">

  <Site id="1" name="example.com" /> 

  <Site id="2" name="staging.example.com" />

</ISAPI>

Insert your new Site node.  My new node is staging.example.com, with an id of 2.  The id of the Site element comes from IIS.  If you select Sites under IIS, you will get a listing of all your websites including the site id. 

The second step in the configuration file is to add a new host entry, under the RequestMapper section.  The only difference from your original host entry is the host entry needs a applicationId and the new name attribute.

<RequestMapper type="Native">

    <RequestMap applicationId="default">

        <Host name="example.com">

          <Path name="secure" authType="shibboleth" requireSession="true" /> 

      </Host>

        <Host applicationId="staging" name="staging.example.com">

            <Path name="secure" authType="shibboleth" requireSession="true" /> 

        </Host>

    </RequestMap>

</RequestMapper>

The last section in the configuration section that needs to be edited is the ApplicationDefaults section.  A new section called ApplicationOverride needs to be added. This was added at the end of this section.  This was given to me by the IDP, so some attributes might be different. 

<ApplicationOverride id="staging" entityID="https://staging.example.com">

  <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="https://staging.example.com/Shibboleth.sso" handlerSSL="false" idpHistory="false" idpHistoryDays="7" /> 

  <CredentialResolver type="File" key="sp-staging-key.pem" certificate="sp-staging-cert.pem" /> 

</ApplicationOverride>

Since the configuration file is in the same folder as the new certificate/private key pair files we generated, the file names are just added to the CredentialResolver  element as attributes called key and certificate. The entityID is also important as that will be given to the IDP as the key for your Service Provider. 

4. Register With IDP

The last step is to register your Service Provider with your IDP.  The information that will need to be sent to the IDP is the certificate that was generated (not the private key), and the entityID from the ApplicationOverride section of the configuration file we edited.

5. Test The Connection

Like with your first Shibboleth configuration, setup a page that will redirect to the IDP login page, and make sure a valid redirect happens after a correct login.  If you have any issues check the log files under the C:\opt\shibboleth-sp\var\log\shibboleth folder.  This can give valuable information on why your configuration isn’t working.