Shibboleth handler invoked at an unconfigured location

reda sabir sabiretude at gmail.com
Fri May 20 05:49:05 EDT 2016 

Hi Peter,

I've change my conf so that I can take into accounts your suggestions. Now
my shibboleth2.xml is :

>
> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
>     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>     clockSkew="180">
>
>   <ApplicationDefaults
>      entityID="sp.shibboleth.example.com"
>      REMOTE_USER="eppn persistent-id targeted-id">
>
>     <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
>               checkAddress="false" handlerURL="/Shibboleth.sso"
> handlerSSL="false" cookieProps="; path=/; domain=example.com; http">
>         <SSO>
>           SAML2
>         </SSO>
>
>         <Logout>SAML2 Local</Logout>
>         <Handler type="MetadataGenerator" Location="/Metadata"
> signing="false"/>
>         <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
>         <Handler type="Session" Location="/Session"
> showAttributeValues="false"/>
>         <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
>     </Sessions>
>
>     <MetadataProvider type="Chaining">
>       <MetadataProvider type="XML" validate="true"
> file="/etc/shibboleth/openam_metadata.xml"/>
>       <MetadataProvider type="XML" validate="true"
> file="/etc/shibboleth/wso2_metadata.xml"/>
>     </MetadataProvider>
>
>     <AttributeExtractor type="XML" validate="true" reloadChanges="false"
> path="attribute-map.xml"/>
>     <AttributeResolver type="Query" subjectMatch="true"/>
>     <AttributeFilter type="XML" validate="true"
> path="attribute-policy.xml"/>
>
>   </ApplicationDefaults>
>
>
>   <SecurityPolicyProvider type="XML" validate="true"
> path="security-policy.xml"/>
>
>
>   <ProtocolProvider type="XML" validate="true" reloadChanges="false"
> path="protocols.xml"/>
>
> </SPConfig>
>
>
The problem is that I do have the same problem again. I dug a bit and I
found that if I remove one vhost, it works correctly and if I put two vhost
or more, it will always take me into the idp that have entity id of the
first vhost. For example, for this httpd.conf:


> #openam
>  <VirtualHost *:80>
>      ServerName openam.shibboleth.example.com
>     DocumentRoot "/var/www/html/"
>     <Location /secure>
>               AuthType shibboleth
>               ShibRequestSetting requireSession 1
>               ShibRequestSetting entityID openam
>               require shib-session
>      </Location>
>     <Location /Shibboleth.sso>
>       Satisfy Any
>       Allow from all
>     </Location>
>      <Location />
>                AuthType shibboleth
>                Require shibboleth
>    </Location>
> </VirtualHost>
>
> #wso2
> <VirtualHost *:80>
>     ServerName wso2.shibboleth.example.com
>
>     DocumentRoot "/var/www/html/"
>     <Location /secure>
>               AuthType shibboleth
>               ShibRequestSetting requireSession 1
>               ShibRequestSetting entityID wso2
>               require shib-session
>      </Location>
>     <Location /Shibboleth.sso>
>       Satisfy Any
>       Allow from all
>     </Location>
>       <Location />
>                AuthType shibboleth
>                Require shibboleth
>    </Location>
> </VirtualHost>
>
> I will be redirect to openam when I access wso2.shibboleth.example.com
which should be wso2 instead.

Any idea of why this is happening?

2016-05-19 15:57 GMT+02:00 Peter Schober <peter.schober at univie.ac.at>:

> * reda sabir <sabiretude at gmail.com> [2016-05-19 12:05]:
> > - I retook the same use case : One SP and two IdP where each IdP
> > will be used when the user access a specific URL. So, I have two
> > hostname pointing at the same website: wso2.shibboleth.example.com
> > and openam.shibboleth.example.com.
>
> You already agreed that there was no need for Overrides, yet your
> configuration features ApplicationOverrides?!
>
> > - The httpd config look like this :
> > #wso2
> > <VirtualHost *:80>
> >     ServerName wso2.shibboleth.example.com
> >
> >     DocumentRoot "/var/www/html/"
> >     <Location /secure>
> >               AuthType shibboleth
> >               ShibRequestSetting requireSession 1
> >               ShibRequestSetting applicationId default
> >               require shib-session
> >      </Location>
>
> "applicationId default" is a noop, AFAIU ("default" is default).
> Instead of the override what you want here is
>   ShibRequestSetting entityID https://entityid-of-one-such-idp.example.org
>
> >               ShibRequestSetting applicationId openam-id
>
> Same thing: Drop the override, add an entityID parameter.
>
> >     <MetadataProvider type="XML" validate="true"
> > file="/etc/shibboleth/wso2_metadata.xml"/>
>
> Here add metadata for all IDPs, not just one.
>
> >     <ApplicationOverride id="openam-id">
>
> Lose the whole ApplicationOverride and child elements.
>
> I've not yet looked at your DEBUG log since none of what you do
> matches what you said you wanted.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160520/39f8e238/attachment.html>

More information about the users mailing list