--- title: SAML 2.0 and multiple applications description: This page extends the previous example to add a second service provider. component: pinggateway version: 2025.11 page_id: pinggateway:gateway-guide:federation-setup-multi-sps-handler canonical_url: https://docs.pingidentity.com/pinggateway/2025.11/gateway-guide/federation-setup-multi-sps-handler.html revdate: 2025-10-22T14:04:06Z --- # SAML 2.0 and multiple applications This page extends the previous example to add a second service provider. The new service provider has entity ID `sp2` and runs on the host `sp2.example.com`. To prevent unwanted behavior, the service providers must have different values. 1. Add `sp2.example.com` to your `/etc/hosts` file: ```none 127.0.0.1 localhost am.example.com ig.example.com app.example.com sp.example.com sp2.example.com ``` 2. In PingGateway, configure the service provider files for `sp2`, using the files you created to configure the Fedlet. 1. In `fedlet.cot`, add `sp2` to the list of sun-fm-trusted-providers: ```properties cot-name=Circle of Trust sun-fm-cot-status=Active sun-fm-trusted-providers=openam, sp, sp2 sun-fm-saml2-readerservice-url= sun-fm-saml2-writerservice-url= ``` 2. Copy `sp.xml` to `sp2.xml`, and copy `sp-extended.xml` to `sp2-extended.xml`. 3. In both files, search and replace the following strings: * `entityID=sp`: replace with `entityID=sp2` * `sp.example.com`: replace with `sp2.example.com` * `metaAlias=/sp`: replace with `metaAlias=/sp2` * `/metaAlias/sp`: replace with `/metaAlias/sp2` 4. Restart PingGateway. 3. In AM, set up a remote service provider for `sp2`: 1. Select Applications > Federation > Entity Providers. 2. Drag in or import `sp2.xml` created in the previous step. 3. Select Circles of Trust: `Circle of Trust`. 4. Add the following routes to PingGateway: * Linux `$HOME/.openig/config/routes/saml-handler-sp2.json` * Windows `%appdata%\OpenIG\config\routes\saml-handler-sp2.json` ```json { "name": "saml-handler-sp2", "condition": "${find(request.uri.host, 'sp2.example.com') and find(request.uri.path, '^/saml')}", "handler": { "type": "SamlFederationHandler", "config": { "comment": "Use unique session properties for this SP.", "useOriginalUri": true, "assertionMapping": { "sp2Username": "cn", "sp2Password": "sn" }, "authnContext": "sp2AuthnContext", "sessionIndexMapping": "sp2SessionIndex", "subjectMapping": "sp2SubjectName", "redirectURI": "/sp2" } } } ``` Source: [saml-handler-sp2.json](../_attachments/config/routes/saml-handler-sp2.json) * Linux `$HOME/.openig/config/routes/federate-handler-sp2.json` * Windows `%appdata%\OpenIG\config\routes\federate-handler-sp2.json` ```json { "name": "federate-handler-sp2", "condition": "${find(request.uri.host, 'sp2.example.com') and not find(request.uri.path, '^/saml')}", "baseURI": "https://app.example.com:8444", "handler": { "type": "DispatchHandler", "config": { "bindings": [ { "condition": "${empty session.sp2Username}", "handler": { "type": "StaticResponseHandler", "config": { "status": 302, "headers": { "Location": [ "http://sp2.example.com:8080/saml/SPInitiatedSSO?metaAlias=/sp2" ] } } } }, { "handler": { "type": "Chain", "config": { "filters": [ { "type": "HeaderFilter", "config": { "messageType": "REQUEST", "add": { "x-username": ["${session.sp2Username[0]}"], "x-password": ["${session.sp2Password[0]}"] } } } ], "handler": "ReverseProxyHandler" } } } ] } } } ``` Source: [federate-handler-sp2.json](../_attachments/config/routes/federate-handler-sp2.json) 5. Test the setup: 1. Log out of AM, and test the setup with the following links: * [IdP-initiated SSO](http://am.example.com:8088/openam/idpssoinit?metaAlias=/idp\&spEntityID=sp2) * [SP-initiated SSO](http://sp2.example.com:8080/home/federate) 2. Log in to AM with username `demo` and password `Ch4ng31t`. PingGateway returns the response page showing that the user has logged in.