Cookie spoof
Cantor, Scott
cantor.2 at osu.edu
Tue Nov 12 08:12:52 EST 2019
On 11/11/19, 5:40 PM, "users on behalf of Stopinski, Thomas Thaddäus" <users-bounces at shibboleth.net on behalf of thstopinski at ukaachen.de> wrote:
> What we keeping asking ourselves is, how is the SP supposed to know where to send me after a successful login?
The SP knows nothing about that second domain and must have no references to it, and no clients must ever talk to it. Reverse proxies *are* the app, full stop. That's the only URL that can be visible or used anyhere. All rules must be in terms of the external URL, all metadata, everything. Until you fix that, none of this will work.
-- Scott
More information about the users
mailing list