SP behind VPN Gateway: handler locations

Cantor, Scott cantor.2 at osu.edu
Mon Sep 5 18:00:29 BST 2011

On 9/5/11 8:16 AM, "Martin Haase" <martin.haase at daasi.de> wrote:
>Giving the SP a second ACS URL of "/SAML/POST" with the same binding
>leads to a mismatch ("Post targeted at <gateway location> but delivered
>to <the usual one>"). Could this check be circumvented?

No. I thought you meant that the URL the SP sees had the suffix on it. If
the URLs don't match, it won't work.

>On the other hand, I tried a rewrite rule rewriting /Shibboleth.sso/(.*)
>into /Shibboleth.sso/$1,DanaInfo=sp1.intra.net,SSL. This seemed to have
>no effect, both in server and in vhost context. Can you confirm that
>mod_shib runs before any rewriting is done?

I don't know. Apparently sometimes it does. Apache's module ordering
control is fairly unpredictable.

>Any more ideas?

Not really. I believe there are VPNs with SAML support, and this kind of
thing is probably why.

-- Scott

More information about the users mailing list