diff --git a/access.lua b/access.lua
index 288c5a1..ad491cb 100644
--- a/access.lua
+++ b/access.lua
@@ -65,6 +65,8 @@ function check_authentication()
 
     decoded, err = jwt.verify(cookie, "HS256", cookie_secret)
 
+    -- FIXME : maybe also check that the cookie was delivered for the requested domain (or a parent?)
+
     -- FIXME : we might want also a way to identify expired/invalidated cookies,
     -- e.g. a user that got deleted after being logged in ...
 
@@ -283,8 +285,14 @@ if has_access then
 -- 2nd case : no access ... redirect to portal / login form
 else
 
-    if is_logged_in then
-        return redirect(conf.portal_url)
+    portal_url = conf["domain_portal_urls"][ngx.var.host]
+    if portal_url == nil then
+        ngx.status = 400
+        ngx.header.content_type = "plain/text"
+        ngx.say('Unmanaged domain')
+        return
+    elseif is_logged_in then
+        return ngx.redirect(portal_url)
     else
         local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. uri_args_string()
 
diff --git a/conf.json.example b/conf.json.example
index d49b969..fa5ab05 100644
--- a/conf.json.example
+++ b/conf.json.example
@@ -1,7 +1,8 @@
 {
-    "domains": [
-        "example.tld",
-        "example.org"
+    "domain_portal_urls": [
+        "example.tld": "example.tld/yunohost/sso",
+        "sub.example.tld": "example.tld/yunohost/sso",
+        "foobar.org": "foobar.org/yunohost/sso"
     ],
     "permissions": {
         "core_skipped": {
@@ -54,8 +55,6 @@
             ]
         }
     },
-    "portal_domain": "example.tld",
-    "portal_path": "/yunohost/sso/",
     "redirected_regex": {
         "example.tld/yunohost[\\/]?$": "https://example.tld/yunohost/sso/"
     },
diff --git a/config.lua b/config.lua
index 84515aa..a7ac64f 100644
--- a/config.lua
+++ b/config.lua
@@ -87,38 +87,10 @@ function get_config()
         end
     end
 
-
-    -- Default configuration values
-    default_conf = {
-        portal_path               = "/ssowat/",
-        local_portal_domain       = "yunohost.local",
-        domains                   = { conf["portal_domain"], "yunohost.local" },
-        logging                   = "fatal", -- Only log fatal messages by default (so apriori nothing)
-        permissions               = {}
-    }
-
-
-    -- Load default values unless they are set in the configuration file.
-    for param, default_value in pairs(default_conf) do
-        conf[param] = conf[param] or default_value
+    -- Always skip the portal urls to avoid redirection looping.
+    for domain, portal_url in pairs(conf["domain_portal_urls"]) do
+        table.insert(conf["permissions"]["core_skipped"]["uris"], portal_url)
     end
 
-
-    -- If you access the SSO by a local domain, change the portal domain to
-    -- avoid unwanted redirections.
-    if ngx.var.host == conf["local_portal_domain"] then
-        conf["portal_domain"] = conf["local_portal_domain"]
-    end
-
-
-    -- Build portal full URL out of the configuration values
-    conf.portal_url = "https://"..
-                      conf["portal_domain"]..
-                      conf["portal_path"]
-
-
-    -- Always skip the portal to avoid redirection looping.
-    table.insert(conf["permissions"]["core_skipped"]["uris"], conf["portal_domain"]..conf["portal_path"])
-
     return conf
 end