[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Shibboleth Service Provider Configuration for Single app for multiple sub domains with Different
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2012-10-29 23:36:46
Message-ID: BA63CEAE152A7742B854C678D949138339A9A33A () CIO-KRC-D1MBX01 ! osuad ! osu ! edu
[Download RAW message or body]

On 10/29/12 5:44 PM, "William Spooner" <william.spooner@eaglegenomics.com>
wrote:
>
>I'm confused about the cost. You can host all of your customer 'domains'
>behind a single vhost in Apache and a single entity in Shib (please
>correct me on the latter if this is not so).

I assumed you would need a vhost per domain, but I'm not an Apache expert.
That isn't the only cost I was referring to, but it's certainly relevant
to the argument.

> So, other than session initiation, what extra overhead is introduced
> by multiple domains themselves?

The main cost is the number of endpoints in metadata and keeping them up
to date. It's geared to a point to point model where there's no shared
metadata to keep up to date, which is not so bad unless the SP has key(s).

The sort-of hybrid model is to collapse everything to one set of SAML
endpoints on a single domain and use shared-domain cookies to allow the
one endpoint to handle the logins for all the domains, but then you lose
any compartmentalization benefits of the separate domains.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net

[prev in list] [next in list] [prev in thread] [next in thread]