Set Property shibConfig for Service Provider in Apache VirtualHost

Peter Schober peter.schober at univie.ac.at
Wed Dec 19 06:22:19 EST 2018 

* Troschke, Jürgen <Juergen.Troschke at ZIT-BB.Brandenburg.de> [2018-12-18 17:03]:
> The property shibConfig can be set global in shibd.conf or in VirtualHost. Setting the Property in Location is not allowed.
> So I set the property shibConfig  in VirualHost.
> However, this is not evaluated correctly. It always only affects the last assignment.

So stepping back from how you want to solve your problem, can you
explain what exactly it is you're trying to achieve?

To run a single instance of the Shib SP software, with 2 logical SPs
each with their own entityID, and with each SP sending SSO requests to
a different single IDP, each?
(Note that your examples still doesn't handle authorization, maybe
that's done in the proxied application outside Apache httpd?)

AFAIR the above should all be possible with httpd directives provided
by mod_shib. See:
https://wiki.shibboleth.net/confluence/display/SP3/ApplicationModel
https://wiki.shibboleth.net/confluence/display/SP3/ContentSettings

> I created two instances of Shibboleth2.6.1 Service Provider and edit edit shibboleth2.xml.

Meaning you installed the software twice, from source (I don't think
the supported packages are relocatable)? That's not how the SP works.
Try something this instead (leaving out the proxying for clarity):

<VirtualHost *:80>
  ServerName bewe-portal2-04.service.lvnbb.de
  UseCanonicalName On
  <Location "/">
    AuthType shibboleth
    ShibRequestSetting entityIDSelf sp-bewe-portal2-04.service.lvnbb.de
    ShibRequestSetting entityID idp-grundbuch-test.zit-bb.de
    ShibRequestSetting requireSession 1
    Require shib-attr affiliation member at idp-grundbuch-test.zit-bb.de
  </Location>
</VirtualHost>

<VirtualHost *:80>
  ServerName portal2-04.service.lvnbb.de
  UseCanonicalName On
  <Location "/">
    AuthType shibboleth
    ShibRequestSetting entityIDSelf sp-portal2-04.service.lvnbb.de
    ShibRequestSetting entityID idp-idm-test.zit-bb.de
    ShibRequestSetting requireSession 1
    Require shib-attr affiliation member at idp-idm-test.zit-bb.de
  </Location>
</VirtualHost>

I.e., each vhost sets its own entityID and as well as the entityID of
the IDP it should interact with. Sessions are enforced for the whole
vhost (which may or may not be appropriate here) and for authorization
an attribute value is required that should only be able to come from
each IDP.

There's no reason to load metadata in a mutually exclusive way, just
load it globally. (If you think there's a problem with that then
you're likely confusing metadata availability with authorization.
I've added 'Require shib-attr' directives above for illustration.)
  If OTOH anyone/anything able to authenticate at those IDPs is meant
to be allowed to access these vhosts (and the proxied resources behind
them) then you can revert my 'Require shib-attr' examples back to your
'Require shib-session'.

Also note that all the entityIDs in use in your examples are (a)
invalid per the spec as they're required to be URIs and a URI has a
schema, and equally important (b) very badly chosen. I know this is
a test setup but do take the time to review the guidance here:
https://wiki.shibboleth.net/confluence/display/CONCEPT/EntityNaming

And of course you'll also have to provide SAML Metadata for these two
SPs to the appripriate IDP(s).

-peter

More information about the users mailing list