Sub-domain per Entity

bmontgomery bmontgomery at teamdynamix.com
Mon Feb 25 13:55:41 EST 2013


I think the high-level cookie is our best option going forward since we 
need to have those client-specific URL's to allow us to do the discovery 
bit automatically. It does not present a security or performance issue 
for us.

I think the built-in discovery mechanisms in the Native SP are good, and 
I'm not sure there's much more I would expect out of the box. We were 
just looking to remove that discovery step from the authentication 
process for our users if we could.

Thanks for your help, Scott.

On 2/25/2013 1:27 PM, Cantor, Scott E. [via Shibboleth] wrote:
>  > Thanks, Scott. It's important that the URL's be separate so that we can
>  > automatically determine each user's tenant ID based on the URL. Given
>  > that fact, what would be a better way to configure it?
>
> There isn't one, really. We need signed requests in place of URL
> registration, but getting that supported at scale will take years.
>
> I suppose one answer is to punt worrying about the security implications
> of a common domain. Given that a truly federated service shouldn't be
> doing discovery based on URL anyway, the trend would be to have unified
> domains. The segregated domain thing breaks down horribly as soon as you
> federate a resource to multiple clients. Google docs, Box, etc. have
> horrible user experiences because they're domain-based silos.
>
> But in terms of actually deploying across thousands of domains, this
> isn't a great software solution for that problem. It wasn't a goal.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to [hidden email]
> </user/SendEmail.jtp?type=node&node=7584796&i=0>
>
>
> ------------------------------------------------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://shibboleth.1660669.n2.nabble.com/Sub-domain-per-Entity-tp7584793p7584796.html
>
> To unsubscribe from Sub-domain per Entity, click here
> <http://shibboleth.1660669.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=7584793&code=Ym1vbnRnb21lcnlAdGVhbWR5bmFtaXguY29tfDc1ODQ3OTN8LTY5MTg2ODMxOQ==>.
> NAML
> <http://shibboleth.1660669.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>





--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Sub-domain-per-Entity-tp7584793p7584797.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130225/acbb5f32/attachment.html 


More information about the users mailing list