multiple sp hosts behind a firewall/proxy etc

Peter Schober peter.schober at
Sat May 23 08:58:51 EDT 2015

* Musil, William <wmusil at> [2015-05-23 07:54]:
> Is there a basic guide on how to setup shib SP on multiple hosts
> behind a firewall or proxy with NAT talking to an external idp?

Not sure that's of any help to you, but some 8 years ago I wrote up
this here:
and Franck updated it for Shib2 at some point:

If you can forgo back channel requests (such as attribute queries,
which shouldn't be necessary with SAML2) all that matters is that the
subject's HTTP User Agent can reach the IDP web server and the SP web
server, that the hidden resource is configured/virtualized with the
hostname and port the browser sees, and that metadata matches that
same hostname and port. (I.e., metadata and what the browser sees for
HTTP resource on the SP need to match.)

How you rewrite, proxy, NAT, etc. thinks so that the browser reaches
the webserver is up to you and does not relate to any of this here.

More information about the users mailing list