SSO Implementation

Cantor, Scott cantor.2 at
Thu Nov 1 14:31:15 EDT 2012

On 11/1/12 2:14 PM, "Raz's" <gajula.rajashekhar at> wrote:
>For us, sessions should be separate for the vhosts (dev & test) even if
>they are registered at the same IDP so what do you suggest to over come
>the above scenario?

I think you're confusing sessions with the IdP with sessions with the SP,
but maybe not.

If you don't control the IdP(s), then you can't dictate how identity is
tracked at the IdP or how it behaves when crossing between different SPs.

I think the answer may be "you can't", but since I don't really know what
you're doing, I don't know. So far what you described as "not working" is
not fixable unless you change the IdP's behavior, and if you're expecting
to rely on customer IdPs you don't control, then the ones using Shibboleth
2 won't work that way.

My IdP happens to support this because I don't use IdP sessions at the
moment, I just discard them and rely on my own login handler and a cookie.
Using ForceAuthn in theory would work for switching user identity. But
that's one IdP.

-- Scott

More information about the users mailing list