vhosts with SP, single entity id

William Eubank william.eubank at uah.edu
Mon Mar 5 12:13:08 EST 2018 

Fair enough.

So, as embarrassing as it is to admit, the initial issue was my own fault.
My locally maintained 3rd party aggregate file had this same SP entry in it
already, overriding the ACS changes I was adding.  I have removed the
duplicate now and I it's working except with one caveat which I hope to
resolve.

It seems the apache vhost ServerName is still in play in the SP.  If in my
vhost I define ServerName "vhost.uah.edu" then auth fails and the IDP shows
trying to reach http://vhost.uah.edu:443/Shibboleth.sso/SAML2/POST which
fails since 443 is listening to https requests, not http.  But if in the
apache vhosts file I define ServerName with an https prefix,
https://vhost.uah.edu, it works.  And this may be what has to be but it
just feels wrong.

Shouldn't the ACS lines in the metadata in the IDP take precedence over the
(I assume) dynamically built ACS lines the SP builds and sends to it?

I've also tried with the vhost Location having "ShibRequestSetting
applicationId vhost.uah.edu" and shibboleth2.xml having
"<ApplicationOverride signing="true" id="vhost.uah.edu" entityID="
https://host.ds.uah.edu/shibboleth"/>".

-W



On Mon, Mar 5, 2018 at 10:17 AM, Peter Schober <peter.schober at univie.ac.at>
wrote:

> * William Eubank <william.eubank at uah.edu> [2018-03-05 16:55]:
> > So I changed my SP to signing="true" and restarted shibd.  Still no luck.
> >
> >     <ApplicationDefaults entityID="https://host.ds.uah.edu/shibboleth"
> >                          REMOTE_USER="eppn persistent-id targeted-id"
> > signing="true">
> >
> > Or am I missing a step to get signing authn requests in play?
>
> Sorry, "Still no luck" is not a technical error message.
> Are the requests now signed (just look at them in the browser,
> e.g. using Olav's SAMLtracer for Firefox) or not?
>
> If they are sigend, then this alone won't accomplish anything, you'd
> still have to change the skipEndpointValidationWhenSigned option in
> your IDP to make the signed request change anything.
>
> But first I'd get our IDP to work with the existing system w/o
> signing, since adding a line with an ACS for the vhost /is/ everything
> that's needed and should work.
> Only after that I'd look into the SP signing and IDP config change.
>
> -peter
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
William Eubank
Sr Software Development Lead
VBRH, C-2A
Office of Information Technology (OIT)
University of Alabama in Huntsville
256-824-5375
william.eubank at uah.edu

“The only thing worse than a problem without a solution is a solution that
does not address a problem.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180305/66e4d77b/attachment.html>

More information about the users mailing list