SP behind VPN Gateway: handler locations

Martin Haase martin.haase at daasi.de
Tue Sep 6 11:25:22 BST 2011

Thank you, Scott.

Am 05.09.2011 19:00, schrieb Cantor, Scott:
> On 9/5/11 8:16 AM, "Martin Haase" <martin.haase at daasi.de> wrote:
>> Giving the SP a second ACS URL of "/SAML/POST" with the same binding
>> leads to a mismatch ("Post targeted at <gateway location> but delivered
>> to <the usual one>"). Could this check be circumvented?
> No. I thought you meant that the URL the SP sees had the suffix on it. If
> the URLs don't match, it won't work.
>> On the other hand, I tried a rewrite rule rewriting /Shibboleth.sso/(.*)
>> into /Shibboleth.sso/$1,DanaInfo=sp1.intra.net,SSL. This seemed to have
>> no effect, both in server and in vhost context. Can you confirm that
>> mod_shib runs before any rewriting is done?
> I don't know. Apparently sometimes it does. Apache's module ordering
> control is fairly unpredictable.
>> Any more ideas?
> Not really. I believe there are VPNs with SAML support, and this kind of
> thing is probably why.
> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

Dr. Martin Haase
DAASI International GmbH                   phone:     +49 7071 407109-6
Europaplatz 3                              Fax  :     +49 7071 407109-9
D-72072 Tübingen                           email: Martin.Haase at DAASI.de
Germany                                    Web  :   http://www.daasi.de

Directory Applications for Advanced Security and Information Management

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20110906/03247f89/attachment.bin 

More information about the users mailing list