When you use virtual server IDs to connect to multiple environments in one connection, verifying at runtime the virtual server ID in conjunction with other end-user attributes, such as group membership, protects against unauthorized access.
For instance. both the sales and the support departments of contoso.com (the IdP) have their own departmental subdomains, sales.contoso.com and support.contoso.com. The SP identifies both environments under the parent domain, contoso.com.
In this scenario, the PingFederate IdP server can be configured to include both sales.contoso.com and support.contoso.com as the virtual server IDs in the SP connection.
If you use one IdP adapter to authenticate end users from both departments, use an OGNL expression to cross-check the virtual server ID information in the request and the end user's group membership information. For example:
#this.get("ds.memberOf")!=null? ( ( #this.get("ds.memberOf").toString().matches("(?i)CN=Eng,OU=E,DC=contoso,DC=com") && #this.get("context.VirtualServerId").toString()=="Engineering" )|| ( #this.get("ds.memberOf").toString().matches("(?i)CN=Mkt,OU=M,DC=contoso,DC=com") && #this.get("context.VirtualServerId").toString()=="Marketing" ) ):false
Line breaks are inserted for readability only; statements calling methods whose arguments are enclosed in quotes must be entered on a single line.