The APS Identity protocol allows Parallels products to support branding in terms of identification of a product or a service with the parent company. For instance, if resellers of services provided by Parallels Plesk Control Panel want end customers not to know they actually purchase services from a reseller, not from a direct provider, Plesk administrator can configure branded IdP for the resellers to hide original IdP URL (called default IdP URL) from end users.
By default, all SSO-participating applications exchange security data with a default IdP. A default IdP URL (domain name and port) is given to the applications on registration in a specific IdP. The applications may implement ability to change the default IdP URL without re-registering in the IdP (in case the IdP was moved to another domain).
A branded IdP is actually a proxy between a default IdP and a reseller's domain. All data transferred from the domain to the branded IdP must be redirected to the default IdP. When the default IdP has processed the data, it must be returned to the domain through the branded IdP. All these proxy-related operations must be implemented by an SSO-participating application that owns the branded IdP.
The reseller must have the ability to roll back default IdP URL.
If an SSO-participating application is controlled by several branded resellers, it should be able to identify which IdP should be used for each incoming request by the request host header. Controlled applications should use a translation table of associations between domains and branded IdPs.