Sub-domain per Entity

bmontgomery bmontgomery at
Mon Feb 25 12:52:38 EST 2013

Thanks, Scott. It's important that the URL's be separate so that we can 
automatically determine each user's tenant ID based on the URL. Given 
that fact, what would be a better way to configure it?

On 2/25/2013 12:46 PM, Cantor, Scott E. [via Shibboleth] wrote:
>  > The problem with this is that we have to configure a new set of SP URL's
>  > every time we want to enable single sign on for a tenant. This is
> because
>  > when the SAML request is sent by Shib to the IdP, the ACS URL is set
> to a
>  > URL with the specific sub-domain (e.g.
> Yes, it's a bad model to do separate vhosts per tenant.
>  > I think the lynch pin of all of this is the Shib auth cookie which is
> scoped
>  > to the specific sub-domain. If I can configure Shib SP to set a
> high-level
>  > cookie ( instead of a sub-domain level cookie
>  > (, then I should be able to redirect the user to
> Yes, and then all your tenants are sharing a cookie domain. I don't
> think you really want to do that. But you certainly can if you want.
> -- Scott
> --
> To unsubscribe from this list send an email to [hidden email]
> </user/SendEmail.jtp?type=node&node=7584794&i=0>
> ------------------------------------------------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> To unsubscribe from Sub-domain per Entity, click here
> <>.
> <>

View this message in context:
Sent from the Shibboleth - Users mailing list archive at
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list