[jessaustin]

Sure it can handle logins to both "theircompany.com" and "service.theircompany.com", assuming the cert is set up correctly. It probably isn't going to figure out that those are related to "theircompany-service.net". This would arguably be a failure in domain setup, but I've certainly seen similar setups before.

Example: "https://hbweb.incompass-solutions.com/" uses the same credentials as "http://www.equineline.com/" since they're both owned by the Jockey Club.

[mceachen]

Some password managers (like bitwarden) allow for N URL patterns for a given credential, for exactly this purpose.

[jessaustin]

Sure, but that's something the user sets up, so it still contradicts GP's contention that the user never needs to think about this. The only thing a password manager can (validly) do automatically is look at subject name and subject alt names. (I don't know that all of them even do this.) Even that's assuming that certs are set up correctly...