multiple sp hosts behind a firewall/proxy etc
Peter Schober
peter.schober at univie.ac.at
Sat May 23 08:58:51 EDT 2015
* Musil, William <wmusil at labvantage.com> [2015-05-23 07:54]:
> Is there a basic guide on how to setup shib SP on multiple hosts
> behind a firewall or proxy with NAT talking to an external idp?
Not sure that's of any help to you, but some 8 years ago I wrote up
this here:
https://wiki.shibboleth.net/confluence/display/SHIB/SPReverseProxy
and Franck updated it for Shib2 at some point:
https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy
If you can forgo back channel requests (such as attribute queries,
which shouldn't be necessary with SAML2) all that matters is that the
subject's HTTP User Agent can reach the IDP web server and the SP web
server, that the hidden resource is configured/virtualized with the
hostname and port the browser sees, and that metadata matches that
same hostname and port. (I.e., metadata and what the browser sees for
HTTP resource on the SP need to match.)
How you rewrite, proxy, NAT, etc. thinks so that the browser reaches
the webserver is up to you and does not relate to any of this here.
-peter
More information about the users
mailing list