Issue: Using differents idp's to securize different hosts

Mon Sep 12 21:59:16 BST 2011

Gotcha.

I'll try it out. So I need a new application for each customer. Your idea is
clear. I supposed that the session cache would share entries only for the
hosts/alias in the same site.

Thanks a lot for your suggestion and for your time. (and also for the quick
answer).

Eduardo.

On Mon, Sep 12, 2011 at 10:48 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 9/12/11 4:43 PM, "Eduardo Fernandes" <edufer at gmail.com> wrote:
> >
> >
> >You're right, any browser would never do that, but a malicious
> >application could. In my case I built a simple application that catch all
> >cookies, changes the url and the host header and resend it to the SP.
> >Doing that I could access a host securized by a different IdP.
>
> Ok. If you map both hosts to the same application in the SP, then they do
> in fact share a session cache, so that works as intended. If you want them
> separate, then you need to make them separate applications.
>
> >
> >
> >What I want to do is guarantee that a resource protected by an IdP only
> >will be accessible if the user is authenticated by this IdP. This is
> >because, as you could imagine, private info are stored under the specific
> >host (virtual hosts, in my case).
> >
> >I'm not sure if I was clear about my user case. If you think that I was
> >not clear about the subject please let me know.
>
> It's clearer now.
>
> If you want to lock it down, you need separate applicationIds and you need
> to give them metadata with only the idP you want.
>
> You can do it by mapping one vhost to the default application and one to
> an override, or you could map both to overrides if that's clearer to you.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110912/25052fa3/attachment.html 