multiple vhost , single SP question

Peter Schober peter.schober at
Wed Nov 14 15:46:23 EST 2012

* Sean McHugh <sean8sean at> [2012-11-14 21:32]:
> All of this works quite well, except for the fact that browsers
> complain about switching between http and https during the redirect
> from the IdP back to the SP.  Is there any other way to deal with
> this without purchasing a wildcard cert, building something into the
> app itself, etc.?

First off, with the X.509v3 SubjectAltName extension you can have
dozens of host names in a single certificate and serve them up from a
single IP address. Whether your CA supports that (and for what
additional cost, if any) I can't say.

That's the easiest way.

The actual problem comes from the flow not being a redirect, as you
state, but an HTTP POST from an HTTPS resource (the IdP's login page,
protecting the credentials in transit) to the a plain HTTP resource
(the SP without an SSL cert).
Redirects don't cause these errors, so another way to deal with this
is switching from HTTP-POST to the HTTP-Artifact protocol binding.
That's the only binding that does not involve an HTTP POST to the SP.
Not all IdPs will support that, though.

There /might/ also be other workarounds, like only exposing the
SSL-enabled vhost in SAML metadata, not setting the "secure" flag on
the cookie and explicitly setting the SP's session cookie to a shared
DNS domain. That might not be acceptable in a hosting environment with
hunderts or thousands of other hosts. But then you disabled SSL and
all cookies will go in the clear anyway, so there's not much security
for the session left.

More information about the users mailing list