multiple vhost , single SP question

Cantor, Scott cantor.2 at
Thu Nov 15 12:05:41 EST 2012

On 11/15/12 12:01 PM, "Sean McHugh" <sean8sean at> wrote:
>apologies ... you are correct - SNI is supported in 2.2.12+  with mod_ssl
>built against OpenSSL 0.9.9 or later

Ok, thanks.

>I think i need to re-read the wiki before continuing this thread.   b/c
>from the answers i'm getting, i feel like i'm missing something obvious
>I only wish to have 1 cert for the _defaul_:443 vhost and direct the
>AuthNRequest ACS to that hostname only, when a request is made to any of
>the non-ssl vhosts

The cookies are scoped to the host. That's where Peter's shared domain
idea comes in. If you had a shared domain across them, then in theory,
yes, you can route all handler traffic to one set of endpoints. That is
extremely unusual, but that's the use case for setting handlerURL (which
is absent in a default config now) to an absolute URL root.

Instead of /Shibboleth.sso (relative), you use
https://vhost/Shibboleth.sso. Quite possible it will break somethings, but
that's the basic step.

You'd have to override cookieProps as well and use it to control the
cookie's settings to include a domain attribute.

-- Scott

More information about the users mailing list