shibboleth2.xml configuration for www and non-www requests to same host (IIS)
cantor.2 at osu.edu
Thu May 25 14:25:47 EDT 2017
> Apologies for the HTML email. Below is the message again without html. To
> clarify, the issue is that after authentication, when an https request is made
> without www in the host, shibboleth redirects to
> https://www.example.com, losing the path.
> I've tried setting up an Alias but the documentation also specify that "Using
> an alias requires that you duplicate any request map settings for each host
> you want to allow.", but when I add <Alias>example.com
> <http://example.com> </Alias> to the <Site name=www.example.com
> <http://www.example.com> >, and then duplicate the request map, I'm
> getting a Shibboleth error.
"error" doesn't tell me anything in particular, but that is what you have to do.
The RequestMap can contain any number of <Host> children for each of the names to support. Of course, duplicating complex settings across Hosts is not ideal, but the workarounds are the best it can do to compensate. Apache doesn't have these problems.
A "full" workaround for all the RequestMap issues to completely remove all settings there and do it all at runtime in the application code to control what gets done and when.
> But these requests all work correctly (after login, all are redirected to
> https://www.example.com/site/aspx as expected):
If that worked, the only possible reason is that it's already been redirected to www.example.com up front before the SP gets into the mix so the whole situation is just being avoided. There's no fundamental difference between the cases otherwise. So maybe the solution is to do whatever redirecting you're doing for http://example.com and apply it to https://example.com
> Our requestmap is configured similar:
> <Host name="www.example.com"
You need to add a second Host if you're going to use an Alias, and you would also need to make sure your SAML metadata contains a set of endpoints on both hosts too.
More information about the users