IDP Reverse Proxy

Joshua Riffle jriffle at apu.edu
Tue Jul 24 13:55:17 EDT 2012 

Hi Scott,
  To follow-up on this conversation. I don't fully understand your
explanation but we were able to get the reverse proxy with Shibboleth IDP
to work using the following environment. So for the Shib User archives
here's how it works:

1. Apache2 Reverse Proxy Server at host https://idp.example.edu
2. Internal Tomcat server at shib.example.edu with SSL setup as 8443 and
Shibboleth WAR installed as ROOT.

idp.example.edu setup with the follow proxying directives (next to its
other virtualhost configuration):

SSLProxyEngine on
ProxyPreserveHost on
ProxyPass / shib.example.edu:8443/
ProxyPassReverse / shib.example.edu:8443/

In order for this setup to work the front-facing host name (idp.example.edu)
must be in the IDP's metadata SAML section so that Service Providers know
how to message back and forth with Shibboleth through the front-facing
server URL. However, the proxy to the internal host (shib.example.edu) will
rewrite the host name URL when it is communicated between idp.example.eduand
shib.example.edu. The directive ProxyPreserveHost is turned on so that the
host name is left unchanged when it arrives at shib.example.edu. Under
normal circumstances we use SSL encryption at the front-facing server and
clear text communication to the proxied host because it's already in a safe
sandbox but even with ProxyPreserveHost turned on Shib recognizes that the
endpoint URL is HTTP when it arrives at shib.example.edu and not HTTPS
which it expects (causing a SAML EndPoint URL mismatch). So it was
necessary to setup SSL communication between the front-facing server and
its proxied host in order to mimic the HTTPS URL and match the expected
EndPoint URL for SAML.

Joshua Riffle
Software Engineer
*Azusa Pacific University*

On Mon, Jul 23, 2012 at 12:56 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 7/23/12 3:52 PM, "Joshua Riffle" <jriffle at apu.edu> wrote:
>
> >  When the front-facing proxy receives a message on URL at
> >idp.example.edu <http://idp.example.edu> (SSL Certificate) it rewrites
> >the URL to communicate with the back-end Shibboleth server to
> >shib.example.edu <http://shib.example.edu>. This breaks the SAML
> >implementation which (like you said) requires that the URL that receives
> >the message also matches the SAML EndPoint Location.
>
> Then your web server isn't configured properly and you just need to fix
> it. You need to virtualize it to issue redirects and compute URLs as
> idp.example.edu. That's standard.
>
> > The original question is whether or not there is a way
> > of managing this problem via SAML configuration, a hack or something
> >more elegant.
>
> The latter. Standard host virtualization.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120724/43796192/attachment.html

More information about the users mailing list