Wrong issuer in AuthenRequest
Nate Klingenstein
nate.klingenstein at utah.edu
Mon Apr 4 03:53:50 EDT 2016
Andk,
> Firstly I get wrong metadata when I visit
> https://host2.domain.test/Shibboleth.sso/Metadata, because the entityID is
> https://host1.domain.test/shibboleth and not
> https://host2.domain.test/shibboleth (binding URI are ok).
This is deliberate and known. The metadata handler is only capable of knowing the environment in which it is operating when it receives the request. If you have anything more complicated than a bread box, you’ll need to work on metadata manually. This is the reason for the warning at the top of the file and in the documentation.
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPHandler#NativeSPHandler-MetadataGenerationHandler
> As you can see the Issuer and ACS are from different hosts. What may be the
> problem and what should I do to solve this?
You’ll need to make sure that your SP is issuing requests as the right issuer and as the right consumer. It looks like you’ve explicitly set https://host1.domain.test/shibboleth as your entityID, but when you generated your metadata, you went to host2. As a result, your IdP now has metadata for these SP's that looks like:
entityID: host1.domain
endpoints and everything else: host2
> This solves my problem, but I would like to avoid the RequestMapper of
> shibboleth and use Apache config for protecting locations and directories if
> possible.
I think all you did is generate metadata in such a way that it magically ended up coherent for that particular set of settings.
Do you need these two applications to appear as two logically distinct services to an identity provider?
If so, you would still need application overrides. If not, you want to avoid them at all costs because they’re as confusing as you’re demonstrating, so just have one entityID with endpoints for both domains.
That will also require manual metadata, but it’s as simple as going to a host, using that metadata generator, making sure the entityID and keys on both hosts are the same, and plopping endpoints from host2 into the metadata generated on host1.
Hope this helps,
Nate.
More information about the users
mailing list