ShibbolethSP+ADFS and vhosts

Gahring, David A gahringd at palmbeachstate.edu
Thu Feb 15 11:47:24 EST 2018 

Greetings,

First, this is my 1st post to the list and I am a self-proclaimed novice at Shibboleth and SSO in general, but I’ve been handed the responsibility of enabling SSO for our web application(s) here at the college.

The background:

I have Shibboleth SP 2.6.1 up and running on a SLES server where Apache2 is running as the front-end to our web application.  The IdP role is being provided by ADFS (4.0?) and I have successfully protected resources within Apache using Shib+ADFS.  The architecture in place here to address load balancing (among other things) is a set of separate servers that each run Tomcat where the actual application lives.  Each of our tomcat servers are referenced through 4 Apache defined vhosts (i.e. web1, web2, web3, web4).  Once a user is directed to one of these vhosts, they (must) remain there for the duration of their application session.  There is an in-house routine that is used to randomize the distribution to these different target vhosts.

The problem:

For reasons too lengthy to convey, we’re being asked to prefill the username value on the ADFS logon form, since we have the value already provided by the user when we first hit the application.  We’ve been able to accomplish that using the ADFS IDP Initiated signon URL with the ‘username=’ parameter added to the URL, along with the ‘LoginToRP=’ parameter to direct the user to our relying party.  This works fine, with one exception.  The IdP initiated signon always directs us back to the first defined assertion in ADFS (i.e. web1) rather than the one from which the request is sent (i.e. web2 for instance).

The question:

What is the best way (SP initiated, IDP initiated, etc..) to both provide a username value to ADFS for the logon form, as well as return to the requesting (or specific) vhost where the signon was initiated?  I’ve dug through the Shibboleth documentation without success, and we have a support request open with Microsoft as well but haven’t gotten an answer yet.  So far, I’ve tried various permutations of RelayState, and different ideas using acsIndex, but have yet to stumble on the right combination that will allow us to both pass the value for username on the ADFS form and also return to the desired vhost url.

Any guidance would be VERY appreciated!

Regards,

______________________________________
David A. Gahring
Systems Consultant - IT Department
Palm Beach State College
4200 Congress Avenue
Lake Worth, FL 33461
Work: 561.868.3320
Cell: 904.742-5407
Email: gahringd at palmbeachstate.edu
[/Users/gahringd/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1231340019]


________________________________

Please note: Due to Florida’s broad open records law, most written communication to or from College employees is public record, available to the public and the media upon request. Therefore, this e-mail communication may be subject to public disclosure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180215/bb8d9b45/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 22023 bytes
Desc: image001.png
URL: <http://shibboleth.net/pipermail/users/attachments/20180215/bb8d9b45/attachment.png>

More information about the users mailing list