When you use virtual server IDs to connect to multiple environments in one connection, verifying at runtime the virtual server ID in conjunction with other end-user attributes, such as group membership, protects against unauthorized access.

For instance, both the sales and the support departments of contoso.com, the identity provider (IdP), have their own departmental subdomains, sales.contoso.com and support.contoso.com. The service provider (SP) identifies both environments under the parent domain, contoso.com.

In this scenario, you can configure the PingFederate IdP server to include both sales.contoso.com and support.contoso.com as the virtual server IDs in the SP connection.

If you use one IdP adapter to authenticate end users from both departments, use an OGNL expression to cross-check the virtual server ID information in the request and the end user's group membership information.

#this.get("ds.memberOf")!=null?
(
  (
    #this.get("ds.memberOf").toString().matches("(?i)CN=Eng,OU=E,DC=contoso,DC=com")
    &&
    #this.get("context.VirtualServerId").toString()=="Engineering"
  )||
  (
    #this.get("ds.memberOf").toString().matches("(?i)CN=Mkt,OU=M,DC=contoso,DC=com")
    &&
    #this.get("context.VirtualServerId").toString()=="Marketing"
  )
):false
Note:

Line breaks are inserted for readability only. You must enter statements calling methods whose arguments are enclosed in quotes on a single line.