HOW to setup URL Redirect for accessing a Linux server?

Nate Klingenstein ndk at signet.id
Wed Nov 21 17:51:03 EST 2018 

Dear Abby, (American joke: I always figured I would write that someday)

> However, we have already setup the IDP in the Linux platform, my boss also
> tested for the SP server which installed in Linux. He gets some reverse
> proxy setting for redirect to other applications which run on Linux, one is
> moodle and another one is a self developed program running on Linux too.

As long as those applications are running within the same web environment as the native SP module or you have an appropriate forwarding connector, this will work.

> Then he asks me to test the SP server in Windows platform, as a result, I
> have to setup a reverse proxy to protect non-iis applications which are not
> running in the same server as the SP.

When the applications are not running within the same web environment as the native SP module and there is no appropriate forwarding connector, this isn't possible.

> pdf, I can make it according to the pdf, but the example is not for redirect
> to url / server not in the local computer.

Yes, that's because of the above reasons.  The user's session is tied to the SP, and generally also to a specific hostname by cookie.

> So I have my question in how to setup url redirect for accessing a Linux
> server.

I think my first answer is still accurate.  You'll need to either:

A)  Set up an SP on that Linux server itself that can talk directly to the IdP

or

B)  Set up an authentication proxy and transfer mechanism between the IIS server and the Linux server.  That proxy can be a lot of things, but it can't be insecure, so you need to choose a wise way to forward the information on to the Linux server.  Running a second IdP on the IIS server that is protected by the SP on the IIS server and running an SP on the Linux server that talks to the IdP on the IIS server would be one way using SAML.  You can make the cookie scope more broad, within the limits of the specifications, but that has its own security implications, and there still needs to be a module on the Linux server and some shared session storage.  You could also use a variety of other protocols, such as OAuth, CAS, or something you invent.  You can't just blindly forward the request to a totally different server environment.

The way the URL looks will depend on how you choose to forward authentication information since you would generally like to send the user's session forward with the request.

Take care,
Nate.

More information about the users mailing list