shibboleth2.xml configuration for www and non-www requests to same host (IIS)
Cantor, Scott
cantor.2 at osu.edu
Thu May 25 14:25:47 EDT 2017
> Apologies for the HTML email. Below is the message again without html. To
> clarify, the issue is that after authentication, when an https request is made
> without www in the host, shibboleth redirects to
> https://www.example.com, losing the path.
The path recovery after a login is a relay state matter. If it's losing relay state and ending up going to the homeURL, that's generally a misconfigured web server in terms of its handling of requests to vhosts and how cookies are being assigned for later use. It's not a fix, but avoiding use of cookies for relay state in favor of the in-memory default is one way of working around misconfigurations in some cases, but ultimately what hostnames get used by the requests is fundamentally a web server issue.
> I've tried setting up an Alias but the documentation also specify that "Using
> an alias requires that you duplicate any request map settings for each host
> you want to allow.", but when I add <Alias>example.com
> <http://example.com> </Alias> to the <Site name=www.example.com
> <http://www.example.com> >, and then duplicate the request map, I'm
> getting a Shibboleth error.
"error" doesn't tell me anything in particular, but that is what you have to do.
The RequestMap can contain any number of <Host> children for each of the names to support. Of course, duplicating complex settings across Hosts is not ideal, but the workarounds are the best it can do to compensate. Apache doesn't have these problems.
A "full" workaround for all the RequestMap issues to completely remove all settings there and do it all at runtime in the application code to control what gets done and when.
> But these requests all work correctly (after login, all are redirected to
> https://www.example.com/site/aspx as expected):
> http://example.com/site/aspx
If that worked, the only possible reason is that it's already been redirected to www.example.com up front before the SP gets into the mix so the whole situation is just being avoided. There's no fundamental difference between the cases otherwise. So maybe the solution is to do whatever redirecting you're doing for http://example.com and apply it to https://example.com
> Our requestmap is configured similar:
> <Host name="www.example.com"
You need to add a second Host if you're going to use an Alias, and you would also need to make sure your SAML metadata contains a set of endpoints on both hosts too.
-- Scott
More information about the users
mailing list