Configuring separate SPs using separate IdPs on Apache+Linux?
Cantor, Scott
cantor.2 at osu.edu
Tue Jun 22 12:53:49 UTC 2021
> Any reassurance that I'm on the right or wrong track, tips, or pointers
> to existing resources covering this scenario in a concise way, would be
> much appreciated.
I'll simply reiterate Peter's key points:
- isolation is essentially impossible with the SP, that's not what it's meant for
- isolation is not necessary anyway, vhosts already do all the isolating it's possible to achieve on the web, being a fundamentally insecure platform to its core at this point
- you don't need the RequestMap on Apache in any case
- all this gets a lot easier once you accept that isolation isn't really necessary, since that eliminates overrides
One pool of metadata and an access control check that enforces the IdP entityID(s) a vhost is enough to limit things just as much as any other strategy will with no overrides.
-- Scott
More information about the users
mailing list