SP behind VPN Gateway: handler locations

Martin Haase martin.haase at daasi.de
Fri Sep 2 17:56:21 BST 2011

Hi Scott,

>>    ad 1. I cannot seem to be able to set the SP's server address to the
>> gateway's address,
> You need a proper vhost for it.

to understand you right, do you have the following scenario in mind?

1. Access to
from outside intranet
2. Apache on SP is contacted by the gateway under the intranet IP and
3. Although hostname is sp.intra.net, shibd should think hostname is
gateway.net and generate proper ACS URL

For this to work, I configured an ACS Location of
"/SAML/POST/,DanaInfo=sp.intra.net,SSL" and tried almost every possible
Apache configuration I can think of, but it always boils down to the SP
generating this ACS URL:
https://sp.intra.net/Shibboleth.sso/Metadata,DanaInfo=sp.intra.net,SSL .
And this is what the SP is telling to the IdP in the AuthNRequest as
well, but it is not the URL it can be reached from outside.

So I'm really stuck with point 3. I tried various combinations of
NameVirtualHost, VirtualHost, ServerName, ServerAlias, and some rewrite
rules. If it is doable with Apache config, could you please point me
further into the direction you are proposing? And, did I miss anything
to do to Shibboleth config?



Dr. Martin Haase
DAASI International GmbH                   phone:     +49 7071 407109-6
Europaplatz 3                              Fax  :     +49 7071 407109-9
D-72072 Tübingen                           email: Martin.Haase at DAASI.de
Germany                                    Web  :   http://www.daasi.de

Directory Applications for Advanced Security and Information Management

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20110902/100e811f/attachment-0001.bin 

More information about the users mailing list