Shibboleth IDP trust with other IDP
Cantor, Scott
cantor.2 at osu.edu
Sun Mar 9 22:59:30 EDT 2014
On 3/9/14, 9:32 PM, "krrishv" <krish.v at gmail.com> wrote:
>
>I understand this but how can I achieve this? Can you guide me.
I tried to guide you, by explaining that you don't need to do any of this
and that your entire project made little sense to start with. You do not
need two SAML IdPs here and I do not understand why you insist on
believing you do. You should stop and start over by eliminating the entire
middle portion of this picture.
>Shibboleth IDP is running on Tomcat port 8443. Shibboleth sp won't support
>tomcat. How can I protect that only IDP/Authn/RemoteUser.
You don't do it that way. To use the SP, the IdP has to be proxied behind
Apache using mod_proxy_ajp and appropriate ProxyPass settings. You cannot
use Tomcat as the web server directly.
>I tried to change the IDP metadata in sp side with apache URL which
>proxies
>back to shib IDP. In this case I receive error message did not sent for
>intended audience.
If you insist on HTTP proxying, then you are required to properly
configure the container to believe it's running on the proxying host and
port. You should not do that and use AJP instead, as it's much simpler to
configure.
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall
-- Scott
More information about the users
mailing list