When you use the PAM Client or Browser to access your PAM server, you should have already chosen which VIP to connect to.
And the VIP would have redirected to whichever selected node which would generate the AuthnRequest (SAMLRequest) and send to the IDP.
In the PAM node, at the "Configuration - Security - SAML - SP Configuration - Configuration" you would have to enter the PAM node's FQHN.
PAM will generate AuthnRequest using that FQHN so the IDP will know where to POST the SAML Assertion.
This means each PAM node will have their unique FQHN.
At the IDP, you will need to register all the FQHN as a valid as Assertion Consumer Service (ACS)
AND
IDP should be configured to accept ACS in the request.
So when the IDP received the AuthnRequest, it has Assertion Consumer Service URL as the PAM node FQHN that generated it.
After IDP generates the Assertion, it is POSTed to the accepted ACS URL.
As a result, the PAM node that generated the SAMLRequest gets the SAMLResponse and process the login.
Original Message:
Sent: 08-04-2021 11:15 AM
From: Higor Louback
Subject: SP Configuration SAML
Thanks but if I have a VIP in SITE 1 and VIP in site 2, which VIP should I use if it is replicated?