Sub-domain per Entity

Cantor, Scott cantor.2 at
Mon Feb 25 12:45:59 EST 2013

> The problem with this is that we have to configure a new set of SP URL's
> every time we want to enable single sign on for a tenant. This is because
> when the SAML request is sent by Shib to the IdP, the ACS URL is set to a
> URL with the specific sub-domain (e.g.

Yes, it's a bad model to do separate vhosts per tenant.
> I think the lynch pin of all of this is the Shib auth cookie which is scoped
> to the specific sub-domain. If I can configure Shib SP to set a high-level
> cookie ( instead of a sub-domain level cookie
> (, then I should be able to redirect the user to

Yes, and then all your tenants are sharing a cookie domain. I don't think you really want to do that. But you certainly can if you want.

-- Scott

More information about the users mailing list