multiple vhost , single SP question

Peter Schober peter.schober at
Thu Nov 15 04:21:37 EST 2012

* Sean McHugh <sean8sean at> [2012-11-15 00:31]:
> On Wed, Nov 14, 2012 at 3:46 PM, Peter Schober
> <peter.schober at>wrote:
> >
> > First off, with the X.509v3 SubjectAltName extension you can have
> >
> thx.  overhead of regenerating the cert for each new vhost is painful

We've been doing just that automatically in our webhosting environment
which serves ~860 SSL-enabled vhosts currently. I wouldn't want to do
this manually.

SNI is the obvious answer here but depends on what clients you need to

> > There /might/ also be other workarounds, like only exposing the
> > SSL-enabled vhost in SAML metadata,
> this is what i initially did ... but when accessing to the non-SSL
> vhost(s), the authnrequest is telling
> the IdP to use the ACS of http://<non ssl vhost>

Then the IdP would have failed with "No return endpoint available for
relying party" or something like that. So probably we're not talking
about the same thing.
But I'm not sure this would work the way I suggested anyway (i.e.,
sharing cookies via a shared DNS domain and only establishing new
sessions via 1 SSL-enabled vhost). It could be made to work with
custom sessions not involving the SP, certainly.

More information about the users mailing list