multiple sp hosts behind a firewall/proxy etc

Musil, William wmusil at
Sun May 24 17:27:16 EDT 2015

I did it all over again, perhaps I fat fingered it.

I used testshib to create the dummy shibboleth2.xml
I started shibd and httpd and ran /Shibboleth.sso/Metadata.
I stopped shibd and httpd
I uploaded the metadata to testshib (note that this failed once, dunno why, uploaded it a second time and it went)
Start shibd and httpd and I am getting through.

I can turn off one or the other shibd and httpd and connecting just sends me to the running one.

I have one and only one problem now.

Now that I am using the proxy config as suggested, the redirect after success just sends me back to the root of the site, dropping the context. I am protecting /CR/rc/login. Instead of redirecting me to the http://proxy/CR/rc/login after talking to the idp, it sends me to http://proxy.

Note that before attempting this proxy specific configuration it was all working internally, but of course I was getting redirects to the individual backend servers, including the post-login process with the correct context which of course cannot work beyond a NAT boundary. So before this I was not getting dumped to the root of the site. This works on a single node implementation as well.

Am I missing something where configuring for reverse proxy strips my protected context on redirect?

If after testshib login, where it dumps me to the root of the site,  I simply retype the URL with /CR/rc/login at the end, it sees that I am already authenticated with idp and takes me to the post login process under the CR context. So it works, it just looks funny. Of course end users don’t like that.

William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at
Skype: bmusil.lvs

-----Original Message-----
From: Cantor, Scott [mailto:cantor.2 at] 
Sent: Sunday, May 24, 2015 3:15 PM
To: Shib Users; Musil, William
Subject: Re: multiple sp hosts behind a firewall/proxy etc

On 5/24/15, 4:43 AM, "Musil, William" <wmusil at> wrote:

>OK Scott and Peter, I guess I am still not getting it.
>I created a keypair with the proxy name ( as hostname and entity, and a shibboleth2.xml that I created using testshib page.

The name in the cert means nothing whatsoever.

>Failed to decrypt assertion: Unable to resolve any key decryption keys

Then the testshib IdP is using a different key to encrypt under than the SP receiving it is using.

-- Scott

More information about the users mailing list