You can optionally define a list of alternate domain names at which PingFederate receives application and protocol messages.
This is done in the Virtual Host Names window. When configured, PingFederate honors the originally requested host throughout all browser redirects and metadata retrieval if the requested host matches one of the virtual host names. This capability allows you to fully support any number of branded URLs regardless of configured use cases within a single PingFederate environment.
Furthermore, virtual host names allow more flexibility for validating protocol elements, such as the Destination and Recipient elements in SAML inbound messages and the aud claim in JSON web tokens (JWTs) received from OAuth clients for client authentication purpose.
- SAML inbound message
- In certain contexts, the SAML specifications require that XML messages include a URL identifying the host name to which the sender directed the message. As the recipient of such messages, PingFederate validates that the value matches the location where the message is received, which is the Base URL value defined in the Protocol Settings window on the Federation Info tab.
- When virtual host names are configured, PingFederate takes them into consideration as part of its message-security validation process, in addition to its base URL.
- OAuth client authentication using the private_key_jwt client authentication method
- An OAuth client can authenticate with an authorization server by presenting a signed JWT. Per specification, the client must include the intended recipient as the aud claim value in its JWT. When acting as the authorization server, PingFederate verifies that the destination of the aud claim value matches either its base URL or the Token Endpoint Base URL value defined in the Authorization Server Settings window.
- When virtual host names are configured, PingFederate uses them in its verification process as well.
Virtual host names and virtual server IDs serve different purposes. The latter provides separate unique identifiers on a per-connection basis for a federation deployment, normally in the same domain. For more information, see Multiple virtual server IDs. Virtual host names and virtual server IDs are not mutually exclusive. Depending on your use cases and infrastructure, you can configure both virtual server IDs and virtual host names in your PingFederate environment.
Multiple site certificates
When multiple domain names are involved, you can configure PingFederate with multiple site certificates so that PingFederate can serve a different site certificate based on the requested host. For more information, see Manage SSL server certificates.