--- title: Multiple virtual server IDs description: Virtual server IDs provide more configuration flexibility in cases where you need to identify your server differently when connecting to a partner in one connection for multiple environments or in multiple connections where the partner also supports multiple federation IDs. component: pingfederate version: 13.1 page_id: pingfederate:introduction_to_pingfederate:virtual_server_id canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/virtual_server_id.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: connecting-to-a-partner-in-one-connection: Connecting to a partner in one connection connecting-to-a-partner-in-multiple-connections: Connecting to a partner in multiple connections working-with-multiple-virtual-server-ids: Working with multiple virtual server IDs --- # Multiple virtual server IDs Virtual server IDs provide more configuration flexibility in cases where you need to identify your server differently when connecting to a partner in one connection for multiple environments or in multiple connections where the partner also supports multiple federation IDs. ## Connecting to a partner in one connection This is a use case where you need to connect to multiple environments serviced by the same partner using one federation ID, multiplexing one service provider (SP) connection to access multiple subdomain accounts in Microsoft Office 365. Suppose both the marketing and the engineering departments of contoso.com, the identity provider (IdP), have their own departmental subdomains, marketing.contoso.com and engineering.contoso.com. They are both registered in Office 365, the SP, under the parent domain, contoso.com. To include both marketing.contoso.com and engineering.contoso.com as the virtual server IDs in the Office 365 SP connection, configure the PingFederate IdP server. Each virtual server ID has its own set of protocol endpoints obtained in the connection metadata. For more information, see [Metadata export](../administrators_reference_guide/pf_metadata_export.html) and [System-services endpoints](../developers_reference_guide/pf_sys_services_endpoints.html). After providing the protocol endpoints information to Office 365, when Office 365 sends login requests to PingFederate, PingFederate picks the correct IdP adapter to authenticate the end users based on the virtual server ID in the requests. For each successful login, PingFederate builds an assertion with the issuer set to the corresponding virtual server ID. When Office 365 receives the assertion, it creates the end user session with the right subdomain settings based on the issuer value in the assertion. ## Connecting to a partner in multiple connections In this use case, you connect to your partner in multiple connections. In each connection, you identify yourself and your partner differently. For example, you as the SP provide separate environments for the end users based on their regions. Your IdP operates in two regions, Europe (EU) and North America (NA). Their federation IDs are `eu.idp.local` and `na.idp.local` respectively. In the PingFederate SP server, you can create two IdP connections to federate identities for end users from both regions as follows. | | Partner's federation ID | Your virtual server ID | | --------------------- | ----------------------- | ---------------------- | | **IdP connection #1** | `eu.idp.local` | `idp-eu.sp.tld` | | **IdP connection #2** | `na.idp.local` | `idp-na.sp.tld` | Based on the issuer (the partner's federation ID) and the audience values (your virtual server ID), PingFederate determines at runtime which IdP connection the assertion is intended for, validates as per the connection settings, and passes attribute values to the SP adapter to create the end-user session. ## Working with multiple virtual server IDs You can assign virtual server IDs either as an IdP during configuration of an SP connection or as an SP configuring an IdP connection for both Browser single sign-on (SSO) Profiles and WS-Trust security token service (STS) for access to identity-enabled web services. For more information, see [Identifying the SP](../administrators_reference_guide/help_spconnectionconfigtasklet_generalinfostate.html) and [Identifying the partner](../administrators_reference_guide/help_idpconnectionconfigtasklet_generalinfostate.html). If a connection has only one virtual server ID, it becomes the default virtual server ID for the connection. If the list contains several entries, you must specify one of them as the default virtual server ID for that connection. The connection uses the default virtual server ID when a request does not include virtual server ID information. For more information, see [IdP endpoints](../developers_reference_guide/pf_idp_endpoints.html) for an IdP or [SP endpoints](../developers_reference_guide/pf_sp_endpoints.html) for an SP. In a connection with multiple virtual server IDs, you can restrict each adapter added to the connection to certain virtual server IDs to enhance the end-user experience. For more information, see [Restricting an authentication source to certain virtual server IDs](../administrators_reference_guide/pf_restricting_authentication_source_certain_virtual_server_ids.html) and [Restricting a target session to certain virtual server IDs](../administrators_reference_guide/pf_restricting_target_session_certain_virtual_server_ids.html). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Restrict each token processor or token generator added to a WS-Trust STS SP connection or IdP connection. For more information, see [Restricting a token processor to certain virtual server IDs](../administrators_reference_guide/help_wstrusttokenprocessormappingtasklet_virtualserveridmappingstate.html) or [Restricting a token generator to certain virtual server IDs](../administrators_reference_guide/help_wstrusttokengeneratormappingtasklet_virtualserveridmappingstate.html). | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To protect against unauthorized access, configure Issuance Criteria to verify virtual server ID in conjunction with other conditions, such as group membership information. For more information, see [Defining issuance criteria for IdP Browser SSO](../administrators_reference_guide/pf_defining_issuance_criteria_idp_browser_sso.html) or [Defining issuance criteria for SP Browser SSO](../administrators_reference_guide/pf_defining_issuance_criteria_sp_browser_sso.html). |