Forum Discussion

MC_273315's avatar
MC_273315
Icon for Cirrus rankCirrus
Oct 17, 2016

APM SSO - Best Practices?

Hello,

 

We have recently started to use APM as our IdP, this works very well so far. I was curious how others have set up their infrastructure to accommodate different use cases. Currently, we have one primary https:// web IdP address with a real certificate. This real certificate is of course for the address and also for assertion signing. We have multiple SP connections set up, all delivered via one Access Policy with a resource assignment at the end. This allows a variation in attributes which is useful. Question time...

 

  1. Is it best practice to use a different SSL certificate for assertion signing (to give time for SP connector reconfiguration when certificates expire)

     

  2. Do you use one IdP address and somehow split each connection at the start of the Access Policy or do you just lump like connections together and make new VIPs when there is a major difference in processing. Example - some apps require multifactor (assuming internal and external) while others do not, do you just create a new VIP for the multifactor ones? My initial thought is that we either somehow detect the application and send them down the right path or we make a new VIP and put all multifactor on it.