We use ADAM (Microsoft AD Application Mode), which is an attribute-based LDAP server.
All LDAP calls are going to the same LDAP server group.
The domain I referred to is the FQDN.
To give a specific real-live example:
mba.domain.com is a portal access for MBA students, requiring its own branding of the login page and access is restricted by user account with appropriate attribute (mba_portal_access=TRUE)
law.domain.com is a portal access for law students, requiring its own branding of the login page and access is restricted by user account with appropriate attribute (law_portal_access=TRUE)
There may be some students enrolling in a joint-degree program such as MBA/Law degree.
idp.domain.com is a typical shibboleth application that should be accessible by all portal users.
owa.domain.com is a typical web mail application that should be accessible by anyone (I simplified it so that it is accessible by portal users for now).
Access scenario 1:
A user accessing https://mba.domain.com will be redirected to https://login.domain.com for APM login which should be displaying the MBA branding login page. After the authentication and authorization process, user is SSO into the MBA portal. If the user clicks on an e-mail link inside the portal, APM will SSO and launch the https://owa.ubalt.edu/owa link. If a user is joint-degree student, he or she can go to https://law.domain.com and automatically SSO by the APM.
Access scenario 2:
A user accessing https://law.domain.com will be redirected to https://login.domain.com for APM login which should be displaying the law branding login page. After the authentication and authorization process, user is SSO into the law portal. If the user clicks on an e-mail link inside the portal, APM will SSO and launch the https://owa.ubalt.edu/owa link. If a user is joint-degree student, he or she can go to https://mba.domain.com and automatically SSO by the APM.
Access scenario 3:
A user accessing https://owa.ubalt.edu/owa will be redirected to https://login.domain.com for APM login which should be displaying the generic login page. After the authentication and authorization process, user is automatically SSO into the OWA.