SAML SSO: Can one SP metadata file be used for 5 separate SPs running the same application

Question

My application is now running as a Service Provider for SAML 2.0 using the Spring Security SAML extension. I exchanged the IDP/SP metadata files with the Identity Provider(ssocircle) and the SSO is working fine.

However, my application is supposed to be deployed on N number of machines and it is a business requirement to have the number of deployment/machine pairs dynamic(from 1-20).

Do I have to have an SP metadata file for each deployment/machine and register each SP metadata file in the IDP to add it to his circle of trust, or is there a way to have one SP file that could contain the info about all the servers, since it is the same deployment unit but not the same instance.

In other words, If I have 5 machines(MyApp1,MyApp2,MyApp3,MyApp4,MyApp5) installing the same application, can the SP metadata file be created once not 5 times. By this, I would register 1 SP metadata file to the IDP instead of having 5 SP metadata files(where the only difference would be the URL of the machine):

Also, is there a way when the user is authenticated on MyApp1 that he would be authenticated on the other servers(MyApp2,MyApp3,MyApp4,MyApp5)?

Answer 1

As long as the applications are on different URLs you should use separate metadata for each.

You could use a trick and configure each of the applications using SAMLContextProviderLP with a fictional scheme, host and port (i.e. pretend that all 5 applications are using the same public URL). But this would imply that same assertions from the IDP could be used to login to any of those 5 applications. In case you'd like to go this route check the Spring SAML manual's chapter on reverse proxy and load balancing.