Configuring separate SPs using separate IdPs on Apache+Linux?

Cantor, Scott cantor.2 at
Tue Jun 22 12:53:49 UTC 2021

>    Any reassurance that I'm on the right or wrong track, tips, or pointers 
>    to existing resources covering this scenario in a concise way, would be 
>    much appreciated.

I'll simply reiterate Peter's key points:

- isolation is essentially impossible with the SP, that's not what it's meant for
- isolation is not necessary anyway, vhosts already do all the isolating it's possible to achieve on the web, being a fundamentally insecure platform to its core at this point
- you don't need the RequestMap on Apache in any case
- all this gets a lot easier once you accept that isolation isn't really necessary, since that eliminates overrides

One pool of metadata and an access control check that enforces the IdP entityID(s) a vhost is enough to limit things just as much as any other strategy will with no overrides.

-- Scott

More information about the users mailing list