--- title: Issuance criteria and multiple virtual server IDs description: Virtual server IDs offer critical information and functionality in the context of connections. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_issuance_criteria_multi_virtual_serverids canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_issuance_criteria_multi_virtual_serverids.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: related-links: Related links --- # Issuance criteria and multiple virtual server IDs Virtual server IDs offer critical information and functionality in the context of connections. When you use virtual server ID *(tooltip: \
\

An optional unique identifier by which an identity federation deployment can be known to a specific connection partner.\

\
)*s to connect to multiple environments in one connection, verify the virtual server ID at runtime. Check it alongside other user attributes, such as group membership, to protect against unauthorized access. For example, Engineering and Marketing departments can use the same Security Assertion Markup Language (SAML) *(tooltip: \
\

A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\

\
)* application defined in the service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* connection. When users sign on, they land in different environments within the application. Because the SP uses the same entity ID *(tooltip: \
\

The XML element in a SAML assertion that uniquely identifies an identity provider.\

\
)* for both environments, it relies on the identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*, your organization, to present the correct virtual server ID. In this scenario, configure the PingFederate IdP server to include both `Engineering` and `Marketing` as virtual server IDs in the SP connection. If you use one IdP adapter to authenticate end users from both departments, use an OGNL expression to cross-check the virtual server ID information in the request and the end user's group membership information. ``` #this.get("ds.memberOf")!=null? ( ( #this.get("ds.memberOf").toString().matches("(?i)CN=Eng,OU=E,DC=contoso,DC=com") && #this.get("context.VirtualServerId").toString()=="Engineering" )|| ( #this.get("ds.memberOf").toString().matches("(?i)CN=Mkt,OU=M,DC=contoso,DC=com") && #this.get("context.VirtualServerId").toString()=="Marketing" ) ):false ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------- | | | Line breaks are inserted for readability only. You must enter statements calling methods whose arguments are enclosed in quotes on a single line. | ## Related links * [Multiple virtual server IDs](../introduction_to_pingfederate/virtual_server_id.html) * [The OGNL language guide from Apache Commons](https://commons.apache.org/dormant/commons-ognl/language-guide.html)