Issuance criteria and multiple virtual server IDs

Virtual server IDs offer critical information and functionality in the context of connections.

When you use virtual server IDs to connect to multiple environments in one connection, verify the virtual server ID at runtime. Check it alongside other user attributes, such as group membership, to protect against unauthorized access.

For example, Engineering and Marketing departments can use the same Security Assertion Markup Language (SAML) application defined in the service provider (SP) connection. When users sign on, they land in different environments within the application. Because the SP uses the same entity ID for both environments, it relies on the identity provider (IdP), your organization, to present the correct virtual server ID.

In this scenario, configure the PingFederate IdP server to include both Engineering and Marketing as virtual server IDs in the SP connection.

If you use one IdP adapter to authenticate end users from both departments, use an OGNL expression to cross-check the virtual server ID information in the request and the end user’s group membership information.

#this.get("ds.memberOf")!=null?
(
  (
    #this.get("ds.memberOf").toString().matches("(?i)CN=Eng,OU=E,DC=contoso,DC=com")
    &&
    #this.get("context.VirtualServerId").toString()=="Engineering"
  )||
  (
    #this.get("ds.memberOf").toString().matches("(?i)CN=Mkt,OU=M,DC=contoso,DC=com")
    &&
    #this.get("context.VirtualServerId").toString()=="Marketing"
  )
):false

Line breaks are inserted for readability only. You must enter statements calling methods whose arguments are enclosed in quotes on a single line.

PingFederate Server

Issuance criteria and multiple virtual server IDs

Related links