multiple sp hosts behind a firewall/proxy etc

Musil, William wmusil at
Sat May 23 09:00:46 EDT 2015

Thanks, I will definitely read these.

William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at
Skype: bmusil.lvs

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Peter Schober
Sent: Saturday, May 23, 2015 8:59 AM
To: users at
Subject: Re: multiple sp hosts behind a firewall/proxy etc

* Musil, William <wmusil at> [2015-05-23 07:54]:
> Is there a basic guide on how to setup shib SP on multiple hosts 
> behind a firewall or proxy with NAT talking to an external idp?

Not sure that's of any help to you, but some 8 years ago I wrote up this here:
and Franck updated it for Shib2 at some point:

If you can forgo back channel requests (such as attribute queries, which shouldn't be necessary with SAML2) all that matters is that the subject's HTTP User Agent can reach the IDP web server and the SP web server, that the hidden resource is configured/virtualized with the hostname and port the browser sees, and that metadata matches that same hostname and port. (I.e., metadata and what the browser sees for HTTP resource on the SP need to match.)

How you rewrite, proxy, NAT, etc. thinks so that the browser reaches the webserver is up to you and does not relate to any of this here.
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list