multiple vhost , single SP question
Sean McHugh
sean8sean at gmail.com
Wed Nov 14 18:30:47 EST 2012
On Wed, Nov 14, 2012 at 3:46 PM, Peter Schober
<peter.schober at univie.ac.at>wrote:
>
> First off, with the X.509v3 SubjectAltName extension you can have
>
thx. overhead of regenerating the cert for each new vhost is painful
[...]
Redirects don't cause these errors, so another way to deal with this
is switching from HTTP-POST to the HTTP-Artifact protocol binding.
> That's the only binding that does not involve an HTTP POST to the SP.
> Not all IdPs will support that, though.
>
luckily using Shib IdP :) My understanding of the Artifact Resolution
Protocol is limited, so I will read up on it
> There /might/ also be other workarounds, like only exposing the
> SSL-enabled vhost in SAML metadata,
this is what i initially did ... but when accessing to the non-SSL
vhost(s), the authnrequest is telling
the IdP to use the ACS of http://<non ssl vhost>
> not setting the "secure" flag on
> the cookie and explicitly setting the SP's session cookie to a shared
> DNS domain. That might not be acceptable in a hosting environment with
> hunderts or thousands of other hosts.
some services it would matter, others not so much
> But then you disabled SSL and
> all cookies will go in the clear anyway, so there's not much security
> for the session left.
>
yeah, for this particular instance, we don't have much in terms of security
concerns. typically, we just do the
1 IP : 1 VHOST : 1 CERT for the important stuff, and that works just fine
with Shib.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121114/3d2977ed/attachment.html
More information about the users
mailing list