Multi-Domain SP

Simon Bright simon.bright at e2bn.org
Mon Mar 11 12:32:26 EDT 2013 

Hi Ran 

Just jumping in here. We have two vhost set up here on Apache. I'll refrain from saying "you must have" but you may find that it will only work if you have separate IP for each host. 

My ssl.conf file has these lines. My server has two IP addresses on 1 nic. The following config is then duplicated for each host , using the correct IP address hostnames and certificate paths for each. 

<VirtualHost [ip address here]:443> 
ServerName hostname:443 
DocumentRoot /var/www/html/hostname 
ErrorLog logs/hostname/ssl_error_log 
TransferLog logs/hostname/ssl_access_log 
LogLevel warn 
SSLEngine on 
SSLVerifyDepth 10 
SSLOptions +StdEnvVars +ExportCertData 
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW 
SSLCertificateFile /path-to-certificate 
SSLCertificateKeyFile /path-to-key 
SSLCertificateChainFile / path-to-cabundle 
SSLVerifyClient none 
</VirtualHost> 



Regards 

Simon Bright 
Technical Services Manager 
E2BN 
01462 834588 
07912 853 107 
www.e2bn.org 



----- Original Message -----

Well after a few days of playing around with this, I literally narrowed down the problem to 3 lines in server.conf. 

This is my current configuration: 



    1. ServerName https://original.example.com:443 
    2. UseCanonicalName On 
    3. ProxyPreserveHost On 
    4. ProxyIOBufferSize 65536 
    5. <VirtualHost new-host.example.com:443 > 
    6. ServerName https://new-host.example.com:443 
    7. UseCanonicalName On 
    8. <Location /> 
    9. </Location> 
    10. </VirtualHost> 

With this configuration, original is able to login and new-host gives the error. 

If I change line #5 to: 
<VirtualHost new-host.example.com:*> 
The situation is reversed and new-host logins, while new-host gives the error. 

What is wrong with my binding?? I've tried every combination I can think of but nothing works. 




On Mon, Mar 11, 2013 at 2:31 PM, Ran < ran at sheinberg.net > wrote: 



It's not working yet, no. the error did not change. 
opensaml::BindingException at ( https://original.example.com/Shibboleth.sso/SAML2/POST ) 
SAML message delivered with POST to incorrect server URL. 

I understand your comment about the VirtualHost directive. in that case, this is what I have right now: 

<VirtualHost new-host.example.com:443 > 
ServerName https://new-host.example.com:443 
<Location /> 
AuthType shibboleth 
require shibboleth 
ShibUseHeaders on 
</Location> 
</VirtualHost> 

The ServerName in the VirtualHost is correct, because I can paste it in my browser and get to the Apache landing page. this is what I'm using to build the Request URL. 
Am I missing any directives in that snippet? at this point I'm just winging it by copying different parts from different guides. 


On Mon, Mar 11, 2013 at 2:23 PM, Peter Schober < peter.schober at univie.ac.at > wrote: 

<blockquote>
* Ran < ran at sheinberg.net > [2013-03-11 13:11]: 
> Well I removed all the irrelevant stuff per your recommendation. 
> Removed all the added stuff from Shibboleth.xml 
> Started fresh on the IdP by regenerating the Metadata from the SP and 
> adding the ACS URLs + upped their indexes. 

Didn't see an error report in your mail, though, so is it working as 
expected? 

> Now I think the last point is httpd.conf. this is what I left: 
> <VirtualHost new-host.example.com:443 > 
> ServerName new-host.examplecom:443 
> ServerAlias new-host.examplecom 
> UseCanonicalName On 
> </VirtualHost> 
> 
> I am trying without Location and the applicationId as you mentioned. 
> am I using the directives correctly? 
> And another question is how should the Virtualhost do the binding? on port 
> 443 which is what the Load Balancer is listening on? or maybe 8080 since 
> this is what the Application is listening to (so maybe <VirtualHost 
> new-host.example.com:8080 > ? that doesn't seem to work as well... 

So you are in fact terminating SSL at some other system? The advice 
stays the same: ServerName needs to be correct. Correct means matches 
whatever the HTTP User Agent sees, i.e. including the schema (https) 
before the hostname. 
On what local TCP port you have your httpd listen is irrelevant for 
any purposes of this list and the Shibboleth software (assuming you 
don't intend on exposing this to the network). What's wrong with port 
80? But local deployment choice, really. 
Also note that httpd does not bind to ports based on virtualhost 
directives (it uses the Listen directives for that). 
-peter 
-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 





</blockquote>



-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130311/c43c395d/attachment.html

More information about the users mailing list