configuring shibboleth on AWS using ELB

John Schrader John.Schrader at nd.edu
Tue Dec 10 10:54:38 EST 2019 

Is "UseCanonicalName On" set in the Apache vhost config?

My goto base Apache config for a Shib-SP looks like:

########
UseCanonicalName On

<VirtualHost *:80>
  ServerName https://<FQDN of LB>
  DocumentRoot /var/www

  <Location /Shibboleth.sso>
    SetHandler shib
  </Location>

  <Location />
    AuthType shibboleth
    ShibRequestSetting entityIDSelf <SP Entity ID>
    ShibRequestSetting entityID <IdP EntityID >
    ShibRequestSetting requireSession 1
    require shib-session
  </Location>

</VirtualHost>
  ########

-John S



On Tue, Dec 10, 2019 at 10:28 AM Deirdre Kirmis <Deirdre.Kirmis at asu.edu>
wrote:

> I prefer to use an ALB as well, but I can’t seem to make it work.
> Everything works fine without it, but as soon as I add the server back to
> the target group of the ALB, remove the https redirect in my local config
> (the http listener on the ALB redirects to https), it goes back to going
> through the authentication process as it should, but never actually logging
> me in. The only thing that shows in the logs is that it can’t find the
> attributes, but the Session URL shows them there. The shibboleth log looks
> normal, as far as I can tell.
>
>
>
> Deirdre Kirmis
>
> Technology Services
>
> Arizona State University Library
>
> 480-965-7240
>
>
>
> *From:* Nate Klingenstein <ndk at signet.id>
> *Sent:* Tuesday, December 10, 2019 5:57 AM
> *To:* Deirdre Kirmis <Deirdre.Kirmis at asu.edu>
> *Cc:* Shib Users <users at shibboleth.net>
> *Subject:* RE: configuring shibboleth on AWS using ELB
>
>
>
> Deirdre,
>
>
>
> I prefer to use layer 7 (application) load balancers for better
> stickiness. Others on the list will disagree with good reason and it really
> depends on use case.
>
>
>
> In most cases it doesn't matter that much.  Some security, speed, and user
> experience tradeoffs, but nothing dramatic unless you have very specific
> requirements.
>
>
>
> Best,
>
> Nate.
>
>
>
> On Dec 9, 2019 11:38 PM, Deirdre Kirmis <Deirdre.Kirmis at asu.edu> wrote:
>
> In the continuing saga of me trying to get shibboleth to work on AWS EC2
> with a load balancer…I removed the load balancer and added redirect to
> https (and generated local SSL cert files and pointed to them in my
> ssl.conf) and shibboleth is now working perfectly on my server.
>
>
>
> So, my next question…for those of you that have gotten this working…did
> you use a network load balancer, or an application load balancer?
>
>
>
> I have been trying with an application LB and have been told that I
> probably need to use NLB.
>
>
>
> Deirdre Kirmis
>
> Technology Services
>
> Arizona State University Library
>
> 480-965-7240
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Nate
> Klingenstein
> *Sent:* Tuesday, December 3, 2019 6:49 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: configuring shibboleth on AWS using ELB
>
>
>
> It's hard to tell you without actually seeing your configuration, but the
> only other possible cause I can think of would be a badly misconfigured IdP
> initiated setup. If you're working with SP first, it's probably one of
> those two issues: metadata or server misconfiguration.
>
>
>
> On Tue, Dec 3, 2019, 8:59 AM Deirdre Kirmis <Deirdre.Kirmis at asu.edu>
> wrote:
>
> In fact, everywhere that I have ServerName configured…I have it configured
> as https://<dns name pointing to my ELB>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__-253cdns-2520name-2520pointing-2520to-2520my-2520ELB-253e&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=A8Tymnrba7nWkUFW2RC0axu4YwlUMsQmgsyYm6sFrtg&s=jpJ0l3Xjk-tu2lRcaCW0qc7RC6Zgx5CisNfT2gRvzdU&e=>:443
>
>
>
>
> Is that correct? Is there some other configuration that I missed?
>
>
>
> Deirdre Kirmis
>
> Technology Services
>
> Arizona State University Library
>
> 480-965-7240
>
>
>
> *From:* Deirdre Kirmis
> *Sent:* Tuesday, December 3, 2019 8:34 AM
> *To:* Nate Klingenstein <ndk at signet.id>; Shib Users <users at shibboleth.net>
> *Subject:* RE: configuring shibboleth on AWS using ELB
>
>
>
> So, I do already have the ServerName directive pointing to the CNAME
> record that I set up for the ELB, in all instances of “ServerName” in the
> config files (ie: httpd.conf, ssl.conf, etc) .. those files are pointing to
> the DNS entry for the load balancer. Everywhere that I am referencing my
> site is using that domain.
>
>
>
> Deirdre Kirmis
>
> Technology Services
>
> Arizona State University Library
>
> 480-965-7240
>
>
>
> *From:* Nate Klingenstein <ndk at signet.id>
> *Sent:* Tuesday, December 3, 2019 6:48 AM
> *To:* Deirdre Kirmis <Deirdre.Kirmis at asu.edu>; Shib Users <
> users at shibboleth.net>
> *Subject:* RE: configuring shibboleth on AWS using ELB
>
>
>
> Deirdre,
>
>
>
> Yes, it will work fine.  If you're using Apache, you need to virtualize
> the virtual host with the right directives, generally ServerName
> loadbalancer.asu.edu:443
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__loadbalancer.asu.edu-3A443&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=A8Tymnrba7nWkUFW2RC0axu4YwlUMsQmgsyYm6sFrtg&s=UkQd_pfmLQVgwJjm-rje5iaMJfIVrxXCU9MG7dZ2eyk&e=>,
> so that it "thinks" it's the load balancer AND your metadata needs to
> reflect this.  You can do the same with the Site directive in IIS.  Many
> SP's are deployed like this.
>
>
>
> By virtualization, essentially, the web server needs to "think" it's the
> load balancer when examining inbound messages and generating outbound
> requests.  That's all.
>
>
>
> Take care,
>
> Nate.
>
>
>
> --------
>
>
>
> [image: Image removed by sender.]
>
> The Art of Access *®*
>
>
>
> *Nate Klingenstein* | Principal
>
> https://www.signet.id/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id_&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=oxsob7j1y3vX9QeB4paDRVnYCAe2xrCbfc-SpQ_3EIA&s=qsHfA-ki9jhfbeMNNPmQMlsuo0ok8Fl-vvNg0ZA43zQ&e=>
>
>
>
> -----Original message-----
> *From:* Deirdre Kirmis
> *Sent:* Tuesday, December 3 2019, 6:26 am
> *To:* Nate Klingenstein; Shib Users
> *Subject:* Re: configuring shibboleth on AWS using ELB
>
> Nate, thank you so much for your response. Yes, my instance is behind a
> load-balancer, but I have a DNS entry pointing to the ELB AWS domain, which
> is what I am using for my SP address. What do you mean by "Get the
> virtualization on your instance to match ELB"? Will I be able to make this
> work?
>
> Thank you!
>
>
>
> Deirdre Kirmis
>
> Web Application Developer
>
> Discovery Services
>
> ASU Library
>
> Arizona State University
>
> 480-965-7240
>
>
> ------------------------------
>
> *From:* users <users-bounces at shibboleth.net> on behalf of Nate
> Klingenstein <ndk at signet.id>
> *Sent:* Tuesday, December 3, 2019 2:11 AM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* RE: configuring shibboleth on AWS using ELB
>
>
>
> Deirdre,
>
>
>
> > however in my server log I get an error that the attributes are null.
> When I try to "fetch" my site metadata, it just spins and never comes back
> as uploaded. When I manually upload the file, it acts like it was
> successful, but when I try the test it says my site is not registered. What
> am I doing wrong?
>
>
>
> Sorry, in my haste, I missed this part of your message.  It's most likely
> that your site is behind a load balancer(obviously) and SAMLtest can't
> issue queries directly to individual nodes behind a load balancer.  Even if
> it could, it would receive the wrong answer.  Alternative possibilities
> exist, but this one looks pretty clear.  Get the virtualization on your
> instance to match ELB and then type in ELB as your IdP address.
>
>
>
> You'd eventually have to do this with any IdP, so this is far from a
> fruitless exercise.
>
>
>
> Take care,
>
> Nate.
>
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=A8Tymnrba7nWkUFW2RC0axu4YwlUMsQmgsyYm6sFrtg&s=cNNAL8FpSkt__hxvyMbySQTUW49PUJys9FcYr8dgGmk&e=>
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
>
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net



-- 
John Schrader
Cloud Platform Services
Cloud Engineer Specialist
University of Notre Dame

EVERYTHING SHOULD BE MADE AS SIMPLE AS POSSIBLE, BUT NOT ANY SIMPLER
—ALBERT EINSTEIN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191210/469e75ae/attachment.html>

More information about the users mailing list