Sub-domain per Entity
Cantor, Scott
cantor.2 at osu.edu
Mon Feb 25 12:45:59 EST 2013
> The problem with this is that we have to configure a new set of SP URL's
> every time we want to enable single sign on for a tenant. This is because
> when the SAML request is sent by Shib to the IdP, the ACS URL is set to a
> URL with the specific sub-domain (e.g. client1.example.com).
Yes, it's a bad model to do separate vhosts per tenant.
> I think the lynch pin of all of this is the Shib auth cookie which is scoped
> to the specific sub-domain. If I can configure Shib SP to set a high-level
> cookie (.example.com) instead of a sub-domain level cookie
> (clientx.example.com), then I should be able to redirect the user to
Yes, and then all your tenants are sharing a cookie domain. I don't think you really want to do that. But you certainly can if you want.
-- Scott
More information about the users
mailing list