TransWikia.com

Shibboleth in sub-path URL

Server Fault Asked by J.B. on February 8, 2021

I am trying to install a Shibboleth Service Provider behind a reverse proxy, that handles SSL offloading and redirects all /shibboleth/ URLs to the VM that hosts Shibboleth SP with Apache. Here are some URL examples:

site.domain.com > go to website
site.domain.com/shibboleth/protectedURL1 > go to Shibboleth SP, first protected path
site.domain.com/shibboleth/protectedURL2 > go to Shibboleth SP, second protected path

In shibboleth2.xml I see that all handlers URLs are relative:

<Sessions lifetime="28800" timeout="3600" checkAddress="true"
   handlerURL="/Shibboleth.sso" handlerSSL="false" ....

and examining SAML calls I see that Shibboleth URLs are missing the /shibboleth/ part:

https://site.domain.com/Shibboleth.sso/SAML2/POST

That link is indeed not working, but if I manually add /shibboleth/ : https://site.domain.com/shibboleth/Shibboleth.sso/SAML2/POST it works.

Where I can configure shibboleth URLs, adding /shibboleth/?

One Answer

I had to modify handlerURL in Sessions section of shibboleth2.xml, then reconfigure Apache adding /shibboleth/ to all locations. I found a clue digging in Shibboleth documentation: https://wiki.shibboleth.net/confluence/display/SP3/Sessions#Sessions-AdvancedConfiguration

Here is my final Sessions section:

<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/shibboleth/Shibboleth.sso" handlerSSL="false" exportLocation="/GetAssertion" idpHistory="false" idpHistoryDays="7">

Answered by J.B. on February 8, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP