configuring shibboleth on AWS using ELB

Nate Klingenstein ndk at
Tue Dec 3 08:48:26 EST 2019


Yes, it will work fine.  If you're using Apache, you need to virtualize the virtual host with the right directives, generally ServerName, so that it "thinks" it's the load balancer AND your metadata needs to reflect this.  You can do the same with the Site directive in IIS.  Many SP's are deployed like this.

By virtualization, essentially, the web server needs to "think" it's the load balancer when examining inbound messages and generating outbound requests.  That's all.

Take care,




The Art of Access ®

Nate Klingenstein | Principal 

-----Original message-----
From: Deirdre Kirmis
Sent: Tuesday, December 3 2019, 6:26 am
To: Nate Klingenstein; Shib Users
Subject: Re: configuring shibboleth on AWS using ELB

Nate, thank you so much for your response. Yes, my instance is behind a load-balancer, but I have a DNS entry pointing to the ELB AWS domain, which is what I am using for my SP address. What do you mean by "Get the virtualization on your instance to match ELB"? Will I be able to make this work?
Thank you!
 Deirdre Kirmis
Web Application Developer
Discovery Services
ASU Library
Arizona State University 
From: users <users-bounces at> on behalf of Nate Klingenstein <ndk at>
Sent: Tuesday, December 3, 2019 2:11 AM
To: Shib Users <users at>
Subject: RE: configuring shibboleth on AWS using ELB

> however in my server log I get an error that the attributes are null.  When I try to "fetch" my site metadata, it just spins and never comes back as uploaded. When I manually upload the file, it acts like it was successful, but when I try the test it says my site is not registered. What am I doing wrong?

Sorry, in my haste, I missed this part of your message.  It's most likely that your site is behind a load balancer(obviously) and SAMLtest can't issue queries directly to individual nodes behind a load balancer.  Even if it could, it would receive the wrong answer.  Alternative possibilities exist, but this one looks pretty clear.  Get the virtualization on your instance to match ELB and then type in ELB as your IdP address.

You'd eventually have to do this with any IdP, so this is far from a fruitless exercise.

Take care,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list