--- title: SAML 2.0 and multiple applications description: The chapter extends the example in SAML 2.0 single sign-on and federation with the service provider sp, to add a second service provider. component: pinggateway version: 7.2 page_id: pinggateway:gateway-guide:federation-multi-sps canonical_url: https://docs.pingidentity.com/pinggateway/7.2/gateway-guide/federation-multi-sps.html revdate: 2025-06-02T16:30:54Z --- # SAML 2.0 and multiple applications The chapter extends the example in [SAML 2.0 single sign-on and federation](federation.html) with the service provider `sp`, to add a second service provider. The new service provider has entity ID `sp2` and runs on the host `sp2.example.com`. To prevent unwanted behavior, the service providers must have different values. 1. Add `sp2.example.com` to your `/etc/hosts` file: ```none 127.0.0.1 localhost am.example.com ig.example.com app.example.com sp.example.com sp2.example.com ``` 2. In IG, configure the service provider files for `sp2`, using the files you created in [Configure a Java Fedlet:](federation.html#proc-federation-conf-fedlet): 1. In `fedlet.cot`, add `sp2` to the list of sun-fm-trusted-providers: ```properties cot-name=Circle of Trust sun-fm-cot-status=Active sun-fm-trusted-providers=openam, sp, sp2 sun-fm-saml2-readerservice-url= sun-fm-saml2-writerservice-url= ``` 2. Copy `sp.xml` to `sp2.xml`, and copy `sp-extended.xml` to `sp2-extended.xml`. 3. In both files, search and replace the following strings: * `entityID=sp`: replace with `entityID=sp2` * `sp.example.com`: replace with `sp2.example.com` * `metaAlias=/sp`: replace with `metaAlias=/sp2` * `/metaAlias/sp`: replace with `/metaAlias/sp2` 4. Restart IG. 3. In AM, set up a remote service provider for `sp2`, as described in [Set up federation with unsigned/unencrypted assertions](federation.html#federation-installation): 1. Select Applications > Federation > Entity Providers. 2. Drag in or import `sp2.xml` created in the previous step. 3. Select Circles of Trust: `Circle of Trust`. 4. Add the following routes to IG: * Linux * Windows ``` $HOME/.openig/config/routes/saml-sp2.json ``` ``` %appdata%\OpenIG\config\routes\saml-sp2.json ``` ```json { "name": "saml-sp2", "condition": "${find(request.uri.host, 'sp2.example.com') and find(request.uri.path, '^/saml')}", "handler": { "type": "SamlFederationHandler", "config": { "comment": "Use unique session properties for this SP.", "useOriginalUri": true, "assertionMapping": { "sp2Username": "cn", "sp2Password": "sn" }, "authnContext": "sp2AuthnContext", "sessionIndexMapping": "sp2SessionIndex", "subjectMapping": "sp2SubjectName", "redirectURI": "/sp2" } } } ``` * Linux * Windows ``` $HOME/.openig/config/routes/federate-sp2.json ``` ``` %appdata%\OpenIG\config\routes\federate-sp2.json ``` ```json { "name": "federate-sp2", "condition": "${find(request.uri.host, 'sp2.example.com') and not find(request.uri.path, '^/saml')}", "baseURI": "http://app.example.com:8081", "handler": { "type": "DispatchHandler", "config": { "bindings": [ { "condition": "${empty session.sp2Username}", "handler": { "type": "StaticResponseHandler", "config": { "status": 302, "headers": { "Location": [ "http://sp2.example.com:8080/saml/SPInitiatedSSO?metaAlias=/sp2" ] } } } }, { "handler": { "type": "Chain", "config": { "filters": [ { "type": "HeaderFilter", "config": { "messageType": "REQUEST", "add": { "x-username": ["${session.sp2Username[0]}"], "x-password": ["${session.sp2Password[0]}"] } } } ], "handler": "ReverseProxyHandler" } } } ] } } } ``` 5. Test the setup: 1. Log out of AM, and test the setup with the following links: * [IDP-initiated SSO](http://am.example.com:8088/openam/idpssoinit?metaAlias=/idp\&spEntityID=sp2) * [SP-initiated SSO](http://sp2.example.com:8080/home/federate) 2. Log in to AM with username `demo` and password `Ch4ng31t`. IG returns the response page showing that the user has logged in.