Issue: Using differents idp's to securize different hosts

Cantor, Scott cantor.2 at
Mon Sep 12 21:48:01 BST 2011

On 9/12/11 4:43 PM, "Eduardo Fernandes" <edufer at> wrote:
>You're right, any browser would never do that, but a malicious
>application could. In my case I built a simple application that catch all
>cookies, changes the url and the host header and resend it to the SP.
>Doing that I could access a host securized by a different IdP.

Ok. If you map both hosts to the same application in the SP, then they do
in fact share a session cache, so that works as intended. If you want them
separate, then you need to make them separate applications.

>What I want to do is guarantee that a resource protected by an IdP only
>will be accessible if the user is authenticated by this IdP. This is
>because, as you could imagine, private info are stored under the specific
>host (virtual hosts, in my case).
>I'm not sure if I was clear about my user case. If you think that I was
>not clear about the subject please let me know.

It's clearer now.

If you want to lock it down, you need separate applicationIds and you need
to give them metadata with only the idP you want.

You can do it by mapping one vhost to the default application and one to
an override, or you could map both to overrides if that's clearer to you.

-- Scott

More information about the users mailing list