SP behind VPN Gateway: handler locations
Martin Haase
martin.haase at daasi.de
Tue Sep 6 11:25:22 BST 2011
Thank you, Scott.
Am 05.09.2011 19:00, schrieb Cantor, Scott:
> On 9/5/11 8:16 AM, "Martin Haase" <martin.haase at daasi.de> wrote:
>> Giving the SP a second ACS URL of "/SAML/POST" with the same binding
>> leads to a mismatch ("Post targeted at <gateway location> but delivered
>> to <the usual one>"). Could this check be circumvented?
> No. I thought you meant that the URL the SP sees had the suffix on it. If
> the URLs don't match, it won't work.
>
>> On the other hand, I tried a rewrite rule rewriting /Shibboleth.sso/(.*)
>> into /Shibboleth.sso/$1,DanaInfo=sp1.intra.net,SSL. This seemed to have
>> no effect, both in server and in vhost context. Can you confirm that
>> mod_shib runs before any rewriting is done?
> I don't know. Apparently sometimes it does. Apache's module ordering
> control is fairly unpredictable.
>
>> Any more ideas?
> Not really. I believe there are VPNs with SAML support, and this kind of
> thing is probably why.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
-----------------------------------------------------------------------
Dr. Martin Haase
DAASI International GmbH phone: +49 7071 407109-6
Europaplatz 3 Fax : +49 7071 407109-9
D-72072 Tübingen email: Martin.Haase at DAASI.de
Germany Web : http://www.daasi.de
Directory Applications for Advanced Security and Information Management
-----------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: S/MIME Cryptographic Signature
Url : http://shibboleth.net/pipermail/users/attachments/20110906/03247f89/attachment.bin
More information about the users
mailing list