Issue: Using differents idp's to securize different hosts

Eduardo Fernandes edufer at
Mon Sep 12 21:43:40 BST 2011


Thanks for your answer.

You're right, any browser would never do that, but a malicious application
could. In my case I built a simple application that catch all cookies,
changes the url and the host header and resend it to the SP. Doing that I
could access a host securized by a different IdP.

What I want to do is guarantee that a resource protected by an IdP only will
be accessible if the user is authenticated by this IdP. This is because, as
you could imagine, private info are stored under the specific host (virtual
hosts, in my case).

I'm not sure if I was clear about my user case. If you think that I was not
clear about the subject please let me know.

Many thanks again for your help.


On Mon, Sep 12, 2011 at 10:34 PM, Cantor, Scott <cantor.2 at> wrote:

> On 9/12/11 4:21 PM, "Eduardo Fernandes" <edufer at> wrote:
> >After that I have in my browser, among other cookies, the Shibboleth
> >session cookie. So now I send all the cookies I got from the previous
> >authentication to other site:
> >
> >http get -> go to the resource
> >ok. In my config file I setup that hosts2 should be securized using idp2
> >but no authentication is required.
> That isn't possible, so you are mistaken about what you actually set up or
> what cookies existed. Any of the cookies the SP sets are per-host by
> default and will not work across hosts.
> >
> >Is there a way to oblige Shibboleth SP to force authentication even if I
> >resent cookies, etc to hosts2?
> It didn't and doesn't resend them.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list