Question about use of ApplicationOverride

Amos a.goo0h at gmail.com
Mon Apr 15 15:02:06 EDT 2019 

We have a lot of sub-sites that need differing levels of attribute
release.  In the past, we've been doing it via ApplicationOverride blocks
like so:

  <ApplicationOverride id="rectangles" REMOTE_USER="Shib-uid">
         <Sessions lifetime="28800" timeout="3600" checkAddress="false"

handlerURL="/rectangles/chipper/dandelion/Shibboleth.sso" handlerSSL="true"
                   cookieProps="; secure; HttpOnly;
path=/rectangles/chipper/dandelion"/>
         <AttributeExtractor type="XML" validate="true"
path="attribute-map-rectangles.xml"/>
  </ApplicationOverride>

 However, we have found that for the applicationId above to work, the IDP
needs to have additional lines within the <md:SPSSODescriptor like this:

   <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       Location="
https://www.x.org/rectangles/chipper/dandelion/Shibboleth.sso/SAML2/POST"
index="1"/>

This seems to work fine, but does require adding the required definitions
on both the SP and the IDP.  I tried putting that
<md:AssertionConsumerService block into the <Sessions> section of
shibboleth2.xml on the SP, but then discovered that the Location field is
relative.  Consequently, this of course didn't work.  OK, so I wondered if
I could do something like this:

  <ApplicationOverride id="rectangles" REMOTE_USER="Shib-uid">
         <Sessions lifetime="28800" timeout="3600" checkAddress="false"

handlerURL="/rectangles/chipper/dandelion/Shibboleth.sso" handlerSSL="true"
                   cookieProps="; secure; HttpOnly;
path=/rectangles/chipper/dandelion">
            <md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

Location="/rectangles/chipper/dandelion/Shibboleth.sso/SAML2/POST"
index="1"/>
         </Sessions>
         <AttributeExtractor type="XML" validate="true"
path="attribute-map-rectangles.xml"/>
  </ApplicationOverride>

The shibboleth SP doesn't complain, but this doesn't seem to work either.
Can this be done so all the IDP has to do is periodically retrieve the
metadata from the SP?

Thanks.

Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190415/0c1265bd/attachment.html>

More information about the users mailing list