--- title: Virtual host names description: You can optionally define a list of alternate domain names at which PingFederate receives application and protocol messages. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_virtual_host_names canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_virtual_host_names.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: multiple-site-certificates: Multiple site certificates --- # Virtual host names You can optionally define a list of alternate domain names at which PingFederate receives application and protocol messages. This is done in the **Virtual Host Names** window. When configured, PingFederate honors the originally requested host throughout all browser redirects and metadata retrieval if the requested host matches one of the virtual host names. This capability allows you to fully support any number of branded URLs regardless of configured use cases within a single PingFederate environment. Furthermore, virtual host names allow more flexibility for validating protocol elements, such as the `Destination` and `Recipient` elements in SAML inbound messages and the `aud` claim in JSON web tokens (JWTs) received from OAuth clients for client authentication purpose. * SAML inbound message In certain contexts, the SAML specifications require that XML messages include a URL identifying the host name to which the sender directed the message. As the recipient of such messages, PingFederate validates that the value matches the location where the message is received, which is the **Base URL** value defined in the **Protocol Settings** window on the **Federation Info** tab.When virtual host names are configured, PingFederate takes them into consideration as part of its message-security validation process, in addition to its base URL. * OAuth client authentication using the private\_key\_jwt client authentication method An OAuth client can authenticate with an authorization server by presenting a signed JWT. Per specification, the client must include the intended recipient as the `aud` claim value in its JWT. When acting as the authorization server, PingFederate verifies that the destination of the `aud` claim value matches either its base URL or the **Token Endpoint Base URL** value defined in the **Authorization Server Settings** window\.When virtual host names are configured, PingFederate uses them in its verification process as well. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Virtual host names and virtual server IDs serve different purposes. The latter provides separate unique identifiers on a per-connection basis for a federation deployment, normally in the same domain. For more information, see [Multiple virtual server IDs](../introduction_to_pingfederate/virtual_server_id.html). Virtual host names and virtual server IDs are not mutually exclusive. Depending on your use cases and infrastructure, you can configure both virtual server IDs and virtual host names in your PingFederate environment. | ## Multiple site certificates When multiple domain names are involved, you can configure PingFederate with multiple site certificates so that PingFederate can serve a different site certificate based on the requested host. For more information, see [Manage SSL server certificates](help_certmanagementtasklet_sslservercerts_certmanagementstate.html).