SP behind VPN Gateway: handler locations

Cantor, Scott cantor.2 at osu.edu
Thu Aug 25 20:12:27 BST 2011


On 8/25/11 11:55 AM, "Martin Haase" <martin.haase at daasi.de> wrote:
>This is o.k. for users in the intranet. Now the VPN gateway does URL
>rewriting such that for outside users, the SP's ACS URL would be:
>
>   
>https://my.vpngateway.net/Shibboleth.sso/SAML2/POST/,DanaInfo=sp1.intra.ne
>t,SSL
>
>Now I configured this URL in the SP's metadata on the IdP side. The
>problem is, the SP sends the above intranet URL as its ACS. Both do not
>match, so the IdP complains that there's no peer endpoint available etc.
>So how could I achieve that the SP is sending to the IdP the gateway
>address as its ACS, whereas actually receiving the assertion on its
>usual address?

I would start by ignoring the intranet case and seeing if you can get the
outside URLs to work alone. If that ends up working, then the final step
would be having separate Applications in the SP to handle each case.

To make it work, you'd need to use an older-style configuration so that
the ACS endpoints are enumerated in the older way. You would have to add
that suffix to the Locations of those endpoints.

As for the rest, I think you'd have to virtualize the web server's
hostname, but that won't work if you have both sets of traffic hitting one
vhost. So really, I would advise not doing that. If you really can't keep
them to separate vhosts locally, then you can try setting handlerURL to an
absolute URL of https://my.vpngateway.net/Shibboleth.sso

Good luck.

-- Scott



More information about the users mailing list