Sub-domain per Entity

Peter Schober peter.schober at
Tue Feb 26 04:43:24 EST 2013

* bmontgomery <bmontgomery at> [2013-02-25 19:56]:
> I think the high-level cookie is our best option going forward since we 
> need to have those client-specific URL's to allow us to do the discovery 
> bit automatically.

Note that client-specific URLs does not equal specific hostnames.
You could just as well do  instead of
That doesn't really change anything Scott said, of course.
If you want a single host to handle processing of SAML protocol
messages (to avoid new metadata for each new client) you also need to
share HTTP Cookies among those instances, either by setting the cookie
domain explicitly or using the same hostname (and partitioning by
Either way comes with the same baggage of sharing the security domain
and seperating them comes with the same cost (addititonal metadata).

Jira has a patch for the Shib IDP to forgo checking of ACS URLs and
rely on signed authN requests instead and we have been using that for
a campus-internal system successfully. So the code is there, but
expecting your tentants to run patched software won't scale, of

More information about the users mailing list