multiple vhost , single SP question

Sean McHugh sean8sean at
Wed Nov 14 18:30:47 EST 2012

On Wed, Nov 14, 2012 at 3:46 PM, Peter Schober
<peter.schober at>wrote:

> First off, with the X.509v3 SubjectAltName extension you can have

thx.  overhead of regenerating the cert for each new vhost is painful


 Redirects don't cause these errors, so another way to deal with this

is switching from HTTP-POST to the HTTP-Artifact protocol binding.
> That's the only binding that does not involve an HTTP POST to the SP.
> Not all IdPs will support that, though.

luckily using Shib IdP :)  My understanding of the Artifact Resolution
Protocol is limited, so I will read up on it

> There /might/ also be other workarounds, like only exposing the
> SSL-enabled vhost in SAML metadata,

this is what i initially did ... but when accessing to the non-SSL
vhost(s), the authnrequest is telling
the IdP to use the ACS of http://<non ssl vhost>

> not setting the "secure" flag on
> the cookie and explicitly setting the SP's session cookie to a shared
> DNS domain. That might not be acceptable in a hosting environment with
> hunderts or thousands of other hosts.

some services it would matter, others not so much

> But then you disabled SSL and
> all cookies will go in the clear anyway, so there's not much security
> for the session left.

yeah, for this particular instance, we don't have much in terms of security
concerns.  typically, we just do the
1 IP : 1 VHOST : 1 CERT for the important stuff, and that works just fine
with Shib.

> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list