SP behind VPN Gateway: handler locations
Cantor, Scott
cantor.2 at osu.edu
Fri Sep 2 21:21:25 BST 2011
On 9/2/11 12:56 PM, "Martin Haase" <martin.haase at daasi.de> wrote:
>
>1. Access to
>https://gateway.net/Shibboleth.sso/Metadata,DanaInfo=sp.intra.net,SSL
>from outside intranet
>2. Apache on SP is contacted by the gateway under the intranet IP and
>hostname
>3. Although hostname is sp.intra.net, shibd should think hostname is
>gateway.net and generate proper ACS URL
Not shibd, Apache. shibd has nothing to do with it, this is standard web
server setup. Your server MUST be able to inform applications how to
generate self-referential URLs. Redirects MUST be absolute, and
applications hardwriting hostnames into themselves is, well, ridiculous,
so that's why the web server has to be virtualized.
(IIS does NOT support this, as I like to remind people.)
>For this to work, I configured an ACS Location of
>"/SAML/POST/,DanaInfo=sp.intra.net,SSL" and tried almost every possible
>Apache configuration I can think of, but it always boils down to the SP
>generating this ACS URL:
>https://sp.intra.net/Shibboleth.sso/Metadata,DanaInfo=sp.intra.net,SSL .
If that's true, Apache thinks the ServerName is sp.intra.net for requests
to whatever vhost is handling them.
>So I'm really stuck with point 3. I tried various combinations of
>NameVirtualHost, VirtualHost, ServerName, ServerAlias, and some rewrite
>rules.
There is nothing involved but ServerName. The rest involve how the Apache
server maps client-supplied inputs to selecting the vhost to actually use.
Those might be causing the wrong vhost to be handling requests, but they
won't change how the server reports itself to applications.
-- Scott
More information about the users
mailing list