help

Andrea Bielmeier Andrea.Bielmeier at bizcon.de
Mon Jul 1 06:24:14 EDT 2013 

Subject: multi vhosts with one single IdP configuration entry





Hi,

We established a protection for several application instances (dev, ref) with one Shibboleth SP on the reverse proxy machine mysi.atos.net. Each application is reachable through a separate vhost, realized by <ApplicationDefaults> with including <ApplicationOverride> elements.
Problem is: the IdP has to configure one block for each of the vhosts, though the configurations are identical, only the vhost name is different. The aim is to simplify the IdP configuration.
We had a try with ACS, but it seems that we made a mistake there or forgot something. Is there any solution hint for this scenario?

I already roamed through the Shib manual and user questions archive but did not find a suitable solution.

Here are the details:
WORKING configuration with multi end points configured at IdP site, applicationIDs are used in <RequestMapper>:
<ApplicationDefaults id="default" entityID="https://mysi.atos.net"  REMOTE_USER="eppn">
   <Sessions lifetime="7200" timeout="3600" relayState="ss:mem"  checkAddress="true"  handlerURL="https://mysi.atos.net/Shibboleth.sso" handlerSSL="true" cookieProps="https">
         <SSO entityID=https://example.idp.net>SAML2</SSO>
         <MetadataProvider type="XML" file="exampleidpnet.xml"/>
<!—and several additional ApplicationIDs like à
    <ApplicationOverride id="application1" entityID="https://nsntxdev.atos.net">
              <Sessions lifetime="7200" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="true" cookieProps="https">
              <SSO entityID="https://example.idp.net">SAML2</SSO>
         </Sessions>
     </ApplicationOverride>

The idea was to sum up with one single entityID. Therefore I used the unique FQDN handlerURL and substituted the <SSO > and <ApplicationOverride> elements by <SessionInitiator> and <AssertionConsumerService>. But the try with ACS in the <Session> element only works for index=1 and fails for all other indexes.


        <Sessions lifetime="7200" timeout="3600" relayState="ss:mem" checkAddress="true" handlerURL="https://mysi.atos.net/Shibboleth.sso" handlerSSL="true" cookieProps="https">
            <SessionInitiator type="Chaining" relayState="cookie" Location="/Login"  isDefault="true" id="Login"
                              entityID="https://example.idp.net">

                <SessionInitiator type="SAML2" defaultACSIndex="1" template="bindingTemplate.html"/>
            </SessionInitiator>
                            <md:AssertionConsumerService index="1"
                                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                      Location="/SAML2/POST"/>

                            <md:AssertionConsumerService index="2"
                                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                      Location="https://nsntxdev.atos.net/Shibboleth.sso/SAML2/POST"/>


Is there any chance to reduce IdP configuration and sum up all these applications/vhosts/endpoints to one single IdP configuration for the reverse proxy SP mysi.atos.net?
If there is no simple solution - which other ideas are there like e.g. a sub domain ..??

Any help is appreciated.

Thanks and regards,
Andrea Bielmeier

More information about the users mailing list