SP 3 and reverseProxy
Peter Schober
peter.schober at univie.ac.at
Mon Oct 29 12:07:24 EDT 2018
* Jehan PROCACCIA <jehan.procaccia at tem-tsp.eu> [2018-10-29 16:39]:
> you talk about "reverse-proxy", as Peter and Scott responded to me,
> in order not to confuse my objectives (factorizing SP deployement to
> a single proxy) , your architecture should be called "forward
> proxy", do you agree ?
Forget about the term "forward proxy", even if that decade old old
shib wiki page is called that. It's a reverse proxy.
> that seems to fulfill my objectives, but I am still confuse when you
> talk about "multiple metadata sets required by different
> applications"
> on your central Proxy SP deployement, do you have to specify
> overrides for each application and hence have to publish metadatas
> for each of them ?
There's no software requirement for overrides to protecte multiple
resources, that just depends on how much you'd want an IDP to know
about the different applications (e.g. sending different sets of
attributes) or how much isolation the applications proxied by the SP
web server require, whether SLO support is a must, etc.
Some decisions here mean making every application into its own
(logical) SAML SP, e.g. the need for SLO or for an IDP to
differentiate the proxied resources/applications.
Others could well be handled with a single entity descriptor and
either one additional ACS URL per vhost or by signing authn requests.
So these are all typical questions to ask yourself when hosting many
sites/resources on a single server/system, the fact that some of your
protected resources are proxied to other servers is immaterial for the
design of the proxy. (It may be important for the design of the
applications, though.)
As Scott said, most (sane) use cases shouldn't require overrides
today.
But whether a given deployment has needs that require use of an SP
override depends on the use case.
> I hope it still works with recent versions (apache 2.4, SP 3)
Which parts shoudn't work anymore? The httpd protects a resource (with
help from the Shib SP), and that resource may in fact be proxied to
another server by another httpd module.
-peter
More information about the users
mailing list