multiple sp hosts behind a firewall/proxy etc

Musil, William wmusil at labvantage.com
Sun May 24 21:18:50 EDT 2015 

Actually ss:mem is better, for me, for now. :-D


I really don’t want or need to be an SME expert in shibboleth right now, nor use fiddler to figure it out.

We know the cookies are the problem, but I am lucky that our webapp implementation is the one and only application context available. We require dedicated JVMs, and the apache layer where shib is loaded is also dedicated to that jvm, we require it in clusters for the application server connector. JBoss-EAP and JBoss-EWS, or WebSphere and IHS, or WebLogic and OHS.

So, I just change the default landing page to refresh to my top level context, and put back ss:mem.


Works now. 


I am sure that this wont work for the other protected locations, but I can revisit the cookie issue with our development team and let them figure it out.



Thank you so much Scott for your repeated prompt responses. You were a huge help. 

The proof of concept is running with a few glitches that I can live with for the weekend.




William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Musil, William
Sent: Sunday, May 24, 2015 6:50 PM
To: Cantor, Scott; Shib Users
Subject: RE: multiple sp hosts behind a firewall/proxy etc

RelayState set to "cookie", worse - mad looping.

GET, POST, GET, POST and on and on.

Reading through the diagnosis possibilities. 

Maybe ss:mem is not so bad after all :-D

I have also set cookieProps = "http" as I am not using SSL for this proof of concept. It didn’t help.



William T. Musil
Manager, Technical Services

LABVANTAGE Solutions, Inc.
265 Davidson Avenue, Suite 220
Somerset, NJ 08873-4120 USA

Phone: 908-333-0111
Mobile: 908-531-0835
Fax: 732-560-0121
Email: wmusil at labvantage.com
Website: www.labvantage.com
Skype: bmusil.lvs


-----Original Message-----
From: Cantor, Scott [mailto:cantor.2 at osu.edu] 
Sent: Sunday, May 24, 2015 5:35 PM
To: Musil, William; Shib Users
Subject: Re: multiple sp hosts behind a firewall/proxy etc

On 5/24/15, 5:27 PM, "Musil, William" <wmusil at labvantage.com> wrote:
>
>Now that I am using the proxy config as suggested, the redirect after success just sends me back to the root of the site, dropping the context. I am protecting /CR/rc/login. Instead of redirecting me to the http://proxy/CR/rc/login after talking to the idp, it sends me to http://proxy.

The default relay state mechanism is in-memory, so if you're switching systems mid-stream, it's not going to work. Change it to use a cookie and you can make that work even if the relay state is set on a different SP instance from the one that handles the response.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list