Sub-domain per Entity
Peter Schober
peter.schober at univie.ac.at
Tue Feb 26 04:43:24 EST 2013
* bmontgomery <bmontgomery at teamdynamix.com> [2013-02-25 19:56]:
> I think the high-level cookie is our best option going forward since we
> need to have those client-specific URL's to allow us to do the discovery
> bit automatically.
Note that client-specific URLs does not equal specific hostnames.
You could just as well do example.org/foo instead of foo.example.org.
That doesn't really change anything Scott said, of course.
If you want a single host to handle processing of SAML protocol
messages (to avoid new metadata for each new client) you also need to
share HTTP Cookies among those instances, either by setting the cookie
domain explicitly or using the same hostname (and partitioning by
path).
Either way comes with the same baggage of sharing the security domain
and seperating them comes with the same cost (addititonal metadata).
Jira has a patch for the Shib IDP to forgo checking of ACS URLs and
rely on signed authN requests instead and we have been using that for
a campus-internal system successfully. So the code is there, but
expecting your tentants to run patched software won't scale, of
course.
-peter
More information about the users
mailing list