Limit to the number of Vhosts under one entityID?
peter.schober at univie.ac.at
Mon Nov 24 08:48:12 EST 2014
* Tom Scavo <trscavo at gmail.com> [2014-11-24 14:24]:
> I can't beat that :-) but FYI there are two SPs in InCommon metadata
> with at least 100 ACS endpoints:
> I don't know if either of them signs AuthnRequests, however.
Signing was mentioned as an alternative to amassing ACS URLs (so you
usually wouldn't "see" both in practice), but then most IDPs won't
accept signed requests as replacement for metadata checks of the ACS
URL out of the box.
So if you want/need to federate with more IDPs (and cannot influence
their config) multiple ACS URLs really is the only option. Or multiple
logical SPs, though that doesn't really reduce any efforts, for
anyone, quite the contrary.
One other thing to note with multiple ACS URLs is that SLO cannot
work, as SingleLogoutService is not an indexed endpoint type, i.e. you
cannot have one corresponding SingleLogoutService endpoint per ACS
URL and logout won't work with one SingleLogoutService element for any
non-matching hosts in ACS URLs.
So both signed requests (as ACS URL check replacement) and the desire
for SLO point towards restricted deployments, where you control the
IDP (and possibly other SPs).
More information about the users