Wrong issuer in AuthenRequest
andk
andrius.kulbis at ktu.lt
Mon Apr 4 02:45:12 EDT 2016
Hello,
I got this multi-virtualhost setup on my Debian Jessie machine using
Apache2.4 and Shibboleth SP 2.5.3:
https://host1.domain.test
https://host2.domain.test
*shibboleth2.xml*
<RequestMapper type="Native">
<RequestMap>
</RequestMap>
</RequestMapper>
...
<ApplicationDefaults entityID="https://host1.domain.test/shibboleth"
REMOTE_USER="eppn" signing="true" encryption="true">
....
<SessionInitiator type="SAML2" Location="/Login" id="IDP.TEST"
entityID="https://remote.idp.test/simplesaml/saml2/idp/metadata.php" />
<SessionInitiator type="Chaining" Location="/Disco" id="DISCO.TEST">
<SessionInitiator type="SAML2"
template="bindingTemplate.html"/>
<SessionInitiator type="SAMLDS"
URL="https://remote.disco.test/simplesaml/module.php/discopower/disco.php"/>
</SessionInitiator>
...
<ApplicationOverride id="host2"
entityID="https://host2.domain.test/shibboleth" REMOTE_USER="eppn"/>
</ApplicationDefaults>
*Apache2 VirtualHost configs:*
<VirtualHost host1_ip:433>
ServerName host1.domain.test
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location />
AuthType shibboleth
ShibRequestSetting requireSession On
ShibRequestSetting requireSessionWith "IDP.TEST"
Require shib-session
</Location>
...
</VirtualHost>
<VirtualHost host2_ip:433>
ServerName host2.domain.test
Alias /path /var/www/site/path
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /path/admin>
AuthType shibboleth
ShibRequestSetting applicationId host2
ShibRequestSetting requireSession On
ShibRequestSetting requireSessionWith "DISCO.TEST"
Require shib-session
</Location>
...
</VirtualHost>
Firstly I get wrong metadata when I visit
https://host2.domain.test/Shibboleth.sso/Metadata, because the entityID is
https://host1.domain.test/shibboleth and not
https://host2.domain.test/shibboleth (binding URI are ok).
Secondly, when I try to access https://host2.domain.test/path/admin (secured
by shibboleth) I get redirected to remote discovery and when I select the
IdP the browser sends AuthenRequest with the following info:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://host2.domain.test/Shibboleth.sso/SAML2/POST"
Destination="https://selected_idp/simplesaml/saml2/idp/SSOService.php"
ID="_98a5dc8859ce9ed7d5024c97f588b6d9"
IssueInstant="2016-04-04T05:58:13Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://host1.domain.test/shibboleth</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="1" />
</samlp:AuthnRequest>
As you can see the Issuer and ACS are from different hosts. What may be the
problem and what should I do to solve this?
Adding this to <RequestMapper>
<Host name="host2.domain.test" applicationId="host2">
<Path name="path/admin" authType="shibboleth" requireSession="true"
requireSessionWith="DISCO.TEST"/>
</Host>
And changing the Apache virtualhost config for secured *path/admin* to this:
<Location /path/admin>
AuthType shibboleth
Require shib-session
</Location>
This solves my problem, but I would like to avoid the RequestMapper of
shibboleth and use Apache config for protecting locations and directories if
possible.
--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Wrong-issuer-in-AuthenRequest-tp7624465.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.
More information about the users
mailing list