SP behind VPN Gateway: handler locations

Martin Haase martin.haase at daasi.de
Mon Sep 5 13:16:52 BST 2011

Hi Scott,

Am 02.09.2011 22:30, schrieb Cantor, Scott:
> Correction...they might affect what gets reported, if UseCanonicalName is
> Off. If it's On, ServerName rules.
Great! That did the trick, thank you. It is now closer, but, alas!, not
there yet. Now SP and IdP agree that the ACS location of
is to be used. The IdP also redirects there. Once it passes through the
gateway, it proxies the URL and the gateway sends a request to
What happens: the SP receives it, but does not know anymore how to
handle this location, claiming it is unconfigured, which is true after
all (i.e. that path, the host does not seem to matter).

Giving the SP a second ACS URL of "/SAML/POST" with the same binding
leads to a mismatch ("Post targeted at <gateway location> but delivered
to <the usual one>"). Could this check be circumvented?

On the other hand, I tried a rewrite rule rewriting /Shibboleth.sso/(.*)
into /Shibboleth.sso/$1,DanaInfo=sp1.intra.net,SSL. This seemed to have
no effect, both in server and in vhost context. Can you confirm that
mod_shib runs before any rewriting is done?

Any more ideas?

Besides, I filed the IdP bug about the incorrect treatment of



Dr. Martin Haase
DAASI International GmbH                   phone:     +49 7071 407109-6
Europaplatz 3                              Fax  :     +49 7071 407109-9
D-72072 Tübingen                           email: Martin.Haase at DAASI.de
Germany                                    Web  :   http://www.daasi.de

Directory Applications for Advanced Security and Information Management

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20110905/74d0d250/attachment.bin 

More information about the users mailing list