SP behind VPN Gateway: handler locations

Cantor, Scott cantor.2 at osu.edu
Fri Sep 2 21:21:25 BST 2011

On 9/2/11 12:56 PM, "Martin Haase" <martin.haase at daasi.de> wrote:
>1. Access to
>from outside intranet
>2. Apache on SP is contacted by the gateway under the intranet IP and
>3. Although hostname is sp.intra.net, shibd should think hostname is
>gateway.net and generate proper ACS URL

Not shibd, Apache. shibd has nothing to do with it, this is standard web
server setup. Your server MUST be able to inform applications how to
generate self-referential URLs. Redirects MUST be absolute, and
applications hardwriting hostnames into themselves is, well, ridiculous,
so that's why the web server has to be virtualized.

(IIS does NOT support this, as I like to remind people.)

>For this to work, I configured an ACS Location of
>"/SAML/POST/,DanaInfo=sp.intra.net,SSL" and tried almost every possible
>Apache configuration I can think of, but it always boils down to the SP
>generating this ACS URL:
>https://sp.intra.net/Shibboleth.sso/Metadata,DanaInfo=sp.intra.net,SSL .

If that's true, Apache thinks the ServerName is sp.intra.net for requests
to whatever vhost is handling them.

>So I'm really stuck with point 3. I tried various combinations of
>NameVirtualHost, VirtualHost, ServerName, ServerAlias, and some rewrite

There is nothing involved but ServerName. The rest involve how the Apache
server maps client-supplied inputs to selecting the vhost to actually use.
Those might be causing the wrong vhost to be handling requests, but they
won't change how the server reports itself to applications.

-- Scott

More information about the users mailing list