Set Property shibConfig for Service Provider in Apache VirtualHost

Troschke, Jürgen Juergen.Troschke at ZIT-BB.Brandenburg.de
Tue Dec 18 11:02:21 EST 2018 

Hi,

I assign several virtual hosts (SP1, SP2) to different IDPs (IDP1, IDP2).

My questions
1. Maybe this is a bug here.
2. How can I do it better in another way.

The problem:
The property shibConfig can be set global in shibd.conf or in VirtualHost. Setting the Property in Location is not allowed.
So I set the property shibConfig  in VirualHost.
However, this is not evaluated correctly. It always only affects the last assignment.

My configuration in detail:
For the test, I use http instead of https
I created two instances of Shibboleth2.6.1 Service Provider and edit edit shibboleth2.xml.
/shibboleth_sp1
   <ApplicationDefaults entityID="sp-bewe-portal2-04.service.lvnbb.de" ...
   <UnixListener address="/shibboleth-sp1/run/shibd.sock"/>
   <SSO entityID="idp-grundbuch-test.zit-bb.de"
   <MetadataProvider type="XML" validate="true" file="/shibboleth-sp1/zitbb/idp-grundbuch-test.zit-bb.de.xml"/>

/shibboleth_sp2
   <ApplicationDefaults entityID="sp-portal2-04.service.lvnbb.de" ...
   <UnixListener address="/shibboleth-sp2/run/shibd.sock"/>
    <SSO entityID="idp-idm-test.zit-bb.de"
    <MetadataProvider type="XML" validate="true" file="/shibboleth-sp2/zitbb/idp-idm-test.zit-bb.de.xml"/>

Apache2.4.29 Service Provider
shibd.conf
   LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
   ShibCompatValidUser Off
   #ShibConfig is set in VirtualHost
   <Location /Shibboleth.sso>
        AuthType None
        Require all granted
   </Location>

vhosts.conf
<VirtualHost *:80>
    ServerName bewe-portal2-04.service.lvnbb.de
    RewriteEngine On
    ProxyPreserveHost On
    UseCanonicalName On
    shibConfig /shibboleth-sp1/shibboleth2.xml
    <Location "/secure">
     AuthType shibboleth
    #ShibRequestSetting applicationId sp-bewe-portal2-04.service.lvnbb.de
    ShibRequestSetting requireSession 1
    require shib-session
    </Location>
    RewriteRule ^/[Ss]hibboleth %{REQUEST_URI} [PT,L]
    RewriteRule ^/secure %{REQUEST_URI} [PT,L]
</VirtualHost>

<VirtualHost *:80>
    ServerName portal2-04.service.lvnbb.de
    RewriteEngine On
    ProxyPreserveHost On
    UseCanonicalName On
    shibConfig /shibboleth-sp2/shibboleth2.xml
    <Location "/secure">
      AuthType shibboleth
    #ShibRequestSetting applicationId sp-portal2-04.service.lvnbb.de
    ShibRequestSetting requireSession 1
    require shib-session
    </Location>
    RewriteRule ^/[Ss]hibboleth %{REQUEST_URI} [PT,L]
    RewriteRule ^/secure %{REQUEST_URI} [PT,L]
</VirtualHost>

Identity Provider
The two identity providers are Liferay6.2 portal instances with the Liferay SAML2 Connector plugin.

Thank you for any hint
Jürgen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181218/87f65ec8/attachment.html>

More information about the users mailing list