multiple sp hosts behind a firewall/proxy etc
Musil, William
wmusil at labvantage.com
Sat May 23 09:00:46 EDT 2015
Thanks, I will definitely read these.
William T. Musil
Manager, Technical Services
LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA
Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Saturday, May 23, 2015 8:59 AM
To: users at shibboleth.net
Subject: Re: multiple sp hosts behind a firewall/proxy etc
* Musil, William <wmusil at labvantage.com> [2015-05-23 07:54]:
> Is there a basic guide on how to setup shib SP on multiple hosts
> behind a firewall or proxy with NAT talking to an external idp?
Not sure that's of any help to you, but some 8 years ago I wrote up this here:
https://wiki.shibboleth.net/confluence/display/SHIB/SPReverseProxy
and Franck updated it for Shib2 at some point:
https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy
If you can forgo back channel requests (such as attribute queries, which shouldn't be necessary with SAML2) all that matters is that the subject's HTTP User Agent can reach the IDP web server and the SP web server, that the hidden resource is configured/virtualized with the hostname and port the browser sees, and that metadata matches that same hostname and port. (I.e., metadata and what the browser sees for HTTP resource on the SP need to match.)
How you rewrite, proxy, NAT, etc. thinks so that the browser reaches the webserver is up to you and does not relate to any of this here.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list