Shibboleth and Apache Http config for 2 nodes and one Load balancer architecture.

gori.kaushik gori.kaushik at gmail.com
Tue Aug 21 05:01:47 EDT 2018 

I have been facing one issue setting up load balancer virtual host for apache
servers.

I am able to configure the two single nodes and they are working perfectly
fine with shib.conf that I've done. But no luck when I am trying to use my
LB VirtualHost for the same. It seems it doesn't know what to do once
authentication is done.

Error on Browser :
Authorization Required
This server could not verify that you are authorized to access the document
requested. Either you supplied the wrong credentials (e.g., bad password),
or your browser doesn't understand how to supply the credentials required.

Apache/2.2.15 (Red Hat) Server at intratest.xxx Port 80

shib.conf

#apache server individual virtualhost node ip - xxx.lr1.xxx
NameVirtualHost xxx63:443
NameVirtualHost xxx63:80
#apache server load balancer virtualhost ip - intratest.xxx
NameVirtualHost xxx197:80
# RPM installations on platforms with a conf.d directory will
# result in this file being copied into that directory for you
# and preserved across upgrades.

# For non-RPM installs, you should copy the relevant contents of
# this file to a configuration location you control.

#
# Load the Shibboleth module.
#
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so

#
# Ensures handler will be accessible.
#
<Location /Shibboleth.sso>
        AuthType None
        Require all granted
</Location>

#
# Used for example style sheet in error templates.
#
<IfModule mod_alias.c>
  <Location /shibboleth-sp>
    AuthType None
    Require all granted
  </Location>
  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>

#
# Configure the module for content.
#
# You MUST enable AuthType shibboleth for the module to process
# any requests, and there MUST be a require command as well. To
# enable Shibboleth but not specify any session/access requirements
# use "require shibboleth".
#
<Location /secure>
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require shib-session
</Location>

#LB VirtualHost for apache server
<VirtualHost xxx197:80>
        ServerAdmin root at localhost
        ServerName xxx-lr1
        ServerAlias intratest.xxx

        CustomLog /var/log/httpd/access_log combined
        ErrorLog  /var/log/httpd/error_log

        <Location /auth>
        AuthType shibboleth
        ShibCompatWith24 On
        ShibRequestSetting requireSession 1
        require shib-session
        </Location>

        ProxyPass /Shibboleth.sso !
        ProxyPassReverse /Shibboleth.sso !

        ProxyPass / http://localhost:8080/

        SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1
        SetEnv proxy-nokeepalive 1

</VirtualHost>

#VirtualHost for apache server port 80
<VirtualHost xxx63:80>
        ServerAdmin root at localhost
        ServerName xxx-lr1
        ServerAlias xxx-lr1.intra.xxx
        Redirect permanent / https://xxx-lr1.intra.xxx/
</VirtualHost>

#VirtualHost for apache server port 443
<VirtualHost xxx63:443>
        ServerAdmin root at localhost
        ServerName xxx-lr1
        ServerAlias xxx-lr1.intra.xxx
        SSLEngine on
        SSLCertificateFile /etc/httpd/ssl/ca.crt
        SSLCertificateKeyFile /etc/httpd/ssl/ca.key

        CustomLog /var/log/httpd/access_log combined
        ErrorLog  /var/log/httpd/error_log

        <Location /auth>
                AuthType shibboleth
                ShibCompatWith24 On
                ShibRequestSetting requireSession 1
                require shib-session
        </Location>

        ProxyPass /Shibboleth.sso !
        ProxyPassReverse /Shibboleth.sso !

        ProxyPass / http://localhost:8080/

        SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1
</VirtualHost>

##############################
shibboleth2.xml
##############################

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">

    

    
    
        <ApplicationDefaults entityID="https://intratest.xxx/shibboleth"
                         REMOTE_USER="eppn persistent-id targeted-id"
encryption="true" signing="true">

        
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true"
cookieProps="https">

            
            <SSO>
              SAML2 SAML1
            </SSO>

            <SessionInitiator type="Chaining" Location="/preprod"
isDefault="true" id="Access Manager test"
                relayState="cookie"
entityID="https://etestsso.elisa.fi:8443/nidp/saml2/metadata">

                        <SessionInitiator type="SAML2"
template="bindingTemplate.html" authnContextComparison="exact">
                              <samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="AuthContractRequired1" Version="2.0"
IssueInstant="2014-01-01T00:00:00Z"/>
                        </SessionInitiator>
                     <SessionInitiator type="Shib1" acsIndex="5"/>
               
                </SessionInitiator>
            
         

   


           
            <LogoutInitiator type="Chaining" Location="/Logout"
asynchronous="false">
                   
                   <LogoutInitiator type="Local"/>
             </LogoutInitiator>

        

            
            <md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
            <md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>


            
            <Handler type="MetadataGenerator" Location="/Metadata"
signing="false"/>

            
            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>

            
            <Handler type="Session" Location="/Session"
showAttributeValues="true"/>

            
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        
        <Errors supportContact="root at localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

        
        

        
        <MetadataProvider type="Chaining">
         <MetadataProvider type="XML" file="etestsso-metadata.xml"/>
        </MetadataProvider>


        
        <AttributeExtractor type="XML" validate="true" reloadChanges="false"
path="attribute-map.xml"/>

        
        <AttributeResolver type="Query" subjectMatch="true"/>

        
        <AttributeFilter type="XML" validate="true"
path="attribute-policy.xml"/>

        
                <CredentialResolver type="Chaining">
                        <CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem" use="signing"/>
                        <CredentialResolver type="File" key="sp-key.pem"
certificate="sp-cert.pem" use="encryption"/>
                </CredentialResolver>


        
        
        <ApplicationOverride id="samltest1"
entityID="https://etestsso.elisa.fi:8443/nidp/saml2/metadata"/>
        </ApplicationDefaults>

    
    <SecurityPolicyProvider type="XML" validate="true"
path="security-policy.xml"/>

    
    <ProtocolProvider type="XML" validate="true" reloadChanges="false"
path="protocols.xml"/>

</SPConfig>




--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list