SP and UseCanonicalName

[Brent Putman]

At the risk of committing heresy...

Some of my colleagues are asking about setting UseCanonicalName=off,
and what the potential downside would be.  Based on the docs [1]: They
won't be using the RequestMapper, just Apache config, so doesn't seem
like the second security-related reason mentioned there is an issue.

The first reason mentioned is actually why they want to do it.  They
*want* self-referential URLs, redirects, etc to be based on the
client-supplied values.  That's because they want to use (actually,
continue using) the single monolithic/global Apache config style,
rather than VirtualHosts, so that they don't have to add/update the
latter when they add new domains to the service. (Basically it's one
service with multiple domain names, and the app takes care of different
branding and behavior, based on the client-supplied domain name.)
That's how they've been running the service prior to adding Shib. 
They'll take responsibility for ensuring that their metadata ACS URL's
always reflect all of the possible domain names (or use signed requests).

Other than metadata, are there any non-obvious reasons why the SP will
fail with UseCanonicalName=off?  I can't think of any, but hoping
others can comment.  It *seems* ok in some basic testing they've done.

Thanks,
Brent


[1]
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150818/ae610af6/attachment.html>