Apache 2.4.7 - mod-shib 2.5.2 - http bindings?

Robert Duncan Robert.Duncan at ncirl.ie
Mon May 30 07:29:53 EDT 2016


Can anyone tell why Shibboleth is generating SP metadata with http bindings instead of https. These vhost settings worked for me before, as far as I understood the SP generates metadata based on the vhost configuration - but the below, with https ServerName directive always generates http - handleSSL is off in shibboleth because the SP will be behind a load balancer.
  ServerName https://liberty.example.com:5000/
  UseCanonicalName On

  ## Vhost docroot
  DocumentRoot "/usr/lib/cgi-bin/keystone"

  ## Directories, there should at least be a declaration for /usr/lib/cgi-bin/keystone

  <Directory "/usr/lib/cgi-bin/keystone">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted

  ## Logging
  ErrorLog "/var/log/apache2/keystone_wsgi_main_error.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/keystone_wsgi_main_access.log" "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
  WSGIApplicationGroup %{GLOBAL}
  WSGIDaemonProcess keystone_main display-name=keystone-main group=keystone processes=6 threads=3 user=keystone
  WSGIProcessGroup keystone_main
  WSGIScriptAlias / "/usr/lib/cgi-bin/keystone/main"
  WSGIPassAuthorization On

  ## Custom fragment
LimitRequestFieldSize 81900

<Location ~ "/v3/auth/OS-FEDERATION/websso/saml2">
    ShibRequestSetting requireSession 1
    AuthType shibboleth
    ShibExportAssertion Off
    Require valid-user



<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"

    <ApplicationDefaults entityID="https://liberty.example.com:5000/">

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="false" cookieProps="http">

            <SSO entityID="https://idp.example.com/idp/shibboleth" ECP="true">
              SAML2 SAML1

<Logout>SAML2 Local</Logout>

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

            <Handler type="Status" Location="/Status" acl=" ::1"/>

            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

        <Errors supportContact="rduncan at example.com"

        <MetadataProvider type="XML" file="example.xml"/>

          <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <AttributeResolver type="Query" subjectMatch="true"/>

        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>


    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>


Rob Duncan.

The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.

More information about the users mailing list