configuring shibboleth on AWS using ELB
Deirdre Kirmis
Deirdre.Kirmis at asu.edu
Tue Dec 10 15:29:01 EST 2019
Thanks so much for that config and info. I tried adding UseCanonicalName On and some other settings that you have here that I didn’t, and it didn’t seem to matter.
I’ve gotten a response from the vendor of my application saying that I need to install an “SSL certificate that includes "alt" names covering the entire chain: that is, all the DNS names, from the public DNS name accessed by end users to the back-end hostnames, and in between, the DNS name of the ELB. And, that same certificate needs to be installed locally”.
Is this the case? We are using a wildcard cert on AWS but I don’t know if that includes backend hostnames…I thought that’s why we had custom domains assigned. And, I didn’t think I even needed the cert installed locally if I’m using an ELB. I currently just have a “Let’s Encrypt” cert installed.
From: users <users-bounces at shibboleth.net> On Behalf Of John Schrader
Sent: Tuesday, December 10, 2019 8:55 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: configuring shibboleth on AWS using ELB
Is "UseCanonicalName On" set in the Apache vhost config?
My goto base Apache config for a Shib-SP looks like:
########
UseCanonicalName On
<VirtualHost *:80>
ServerName https://<FQDN<https://%3cFQDN> of LB>
DocumentRoot /var/www
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location />
AuthType shibboleth
ShibRequestSetting entityIDSelf <SP Entity ID>
ShibRequestSetting entityID <IdP EntityID >
ShibRequestSetting requireSession 1
require shib-session
</Location>
</VirtualHost>
########
-John S
On Tue, Dec 10, 2019 at 10:28 AM Deirdre Kirmis <Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>> wrote:
I prefer to use an ALB as well, but I can’t seem to make it work. Everything works fine without it, but as soon as I add the server back to the target group of the ALB, remove the https redirect in my local config (the http listener on the ALB redirects to https), it goes back to going through the authentication process as it should, but never actually logging me in. The only thing that shows in the logs is that it can’t find the attributes, but the Session URL shows them there. The shibboleth log looks normal, as far as I can tell.
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
From: Nate Klingenstein <ndk at signet.id<mailto:ndk at signet.id>>
Sent: Tuesday, December 10, 2019 5:57 AM
To: Deirdre Kirmis <Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>>
Cc: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: configuring shibboleth on AWS using ELB
Deirdre,
I prefer to use layer 7 (application) load balancers for better stickiness. Others on the list will disagree with good reason and it really depends on use case.
In most cases it doesn't matter that much. Some security, speed, and user experience tradeoffs, but nothing dramatic unless you have very specific requirements.
Best,
Nate.
On Dec 9, 2019 11:38 PM, Deirdre Kirmis <Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>> wrote:
In the continuing saga of me trying to get shibboleth to work on AWS EC2 with a load balancer…I removed the load balancer and added redirect to https (and generated local SSL cert files and pointed to them in my ssl.conf) and shibboleth is now working perfectly on my server.
So, my next question…for those of you that have gotten this working…did you use a network load balancer, or an application load balancer?
I have been trying with an application LB and have been told that I probably need to use NLB.
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Nate Klingenstein
Sent: Tuesday, December 3, 2019 6:49 PM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: configuring shibboleth on AWS using ELB
It's hard to tell you without actually seeing your configuration, but the only other possible cause I can think of would be a badly misconfigured IdP initiated setup. If you're working with SP first, it's probably one of those two issues: metadata or server misconfiguration.
On Tue, Dec 3, 2019, 8:59 AM Deirdre Kirmis <Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>> wrote:
In fact, everywhere that I have ServerName configured…I have it configured as https://<dns name pointing to my ELB><https://urldefense.proofpoint.com/v2/url?u=https-3A__-253cdns-2520name-2520pointing-2520to-2520my-2520ELB-253e&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=A8Tymnrba7nWkUFW2RC0axu4YwlUMsQmgsyYm6sFrtg&s=jpJ0l3Xjk-tu2lRcaCW0qc7RC6Zgx5CisNfT2gRvzdU&e=>:443
Is that correct? Is there some other configuration that I missed?
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
From: Deirdre Kirmis
Sent: Tuesday, December 3, 2019 8:34 AM
To: Nate Klingenstein <ndk at signet.id<mailto:ndk at signet.id>>; Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: configuring shibboleth on AWS using ELB
So, I do already have the ServerName directive pointing to the CNAME record that I set up for the ELB, in all instances of “ServerName” in the config files (ie: httpd.conf, ssl.conf, etc) .. those files are pointing to the DNS entry for the load balancer. Everywhere that I am referencing my site is using that domain.
Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240
From: Nate Klingenstein <ndk at signet.id<mailto:ndk at signet.id>>
Sent: Tuesday, December 3, 2019 6:48 AM
To: Deirdre Kirmis <Deirdre.Kirmis at asu.edu<mailto:Deirdre.Kirmis at asu.edu>>; Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: configuring shibboleth on AWS using ELB
Deirdre,
Yes, it will work fine. If you're using Apache, you need to virtualize the virtual host with the right directives, generally ServerName loadbalancer.asu.edu:443<https://urldefense.proofpoint.com/v2/url?u=http-3A__loadbalancer.asu.edu-3A443&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=A8Tymnrba7nWkUFW2RC0axu4YwlUMsQmgsyYm6sFrtg&s=UkQd_pfmLQVgwJjm-rje5iaMJfIVrxXCU9MG7dZ2eyk&e=>, so that it "thinks" it's the load balancer AND your metadata needs to reflect this. You can do the same with the Site directive in IIS. Many SP's are deployed like this.
By virtualization, essentially, the web server needs to "think" it's the load balancer when examining inbound messages and generating outbound requests. That's all.
Take care,
Nate.
--------
The Art of Access ®
Nate Klingenstein | Principal
https://www.signet.id/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id_&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=oxsob7j1y3vX9QeB4paDRVnYCAe2xrCbfc-SpQ_3EIA&s=qsHfA-ki9jhfbeMNNPmQMlsuo0ok8Fl-vvNg0ZA43zQ&e=>
-----Original message-----
From: Deirdre Kirmis
Sent: Tuesday, December 3 2019, 6:26 am
To: Nate Klingenstein; Shib Users
Subject: Re: configuring shibboleth on AWS using ELB
Nate, thank you so much for your response. Yes, my instance is behind a load-balancer, but I have a DNS entry pointing to the ELB AWS domain, which is what I am using for my SP address. What do you mean by "Get the virtualization on your instance to match ELB"? Will I be able to make this work?
Thank you!
Deirdre Kirmis
Web Application Developer
Discovery Services
ASU Library
Arizona State University
480-965-7240
________________________________
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Nate Klingenstein <ndk at signet.id<mailto:ndk at signet.id>>
Sent: Tuesday, December 3, 2019 2:11 AM
To: Shib Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: RE: configuring shibboleth on AWS using ELB
Deirdre,
> however in my server log I get an error that the attributes are null. When I try to "fetch" my site metadata, it just spins and never comes back as uploaded. When I manually upload the file, it acts like it was successful, but when I try the test it says my site is not registered. What am I doing wrong?
Sorry, in my haste, I missed this part of your message. It's most likely that your site is behind a load balancer(obviously) and SAMLtest can't issue queries directly to individual nodes behind a load balancer. Even if it could, it would receive the wrong answer. Alternative possibilities exist, but this one looks pretty clear. Get the virtualization on your instance to match ELB and then type in ELB as your IdP address.
You'd eventually have to do this with any IdP, so this is far from a fruitless exercise.
Take care,
Nate.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=A8Tymnrba7nWkUFW2RC0axu4YwlUMsQmgsyYm6sFrtg&s=cNNAL8FpSkt__hxvyMbySQTUW49PUJys9FcYr8dgGmk&e=>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=NgK9mfe9eCwFHtpRYHxOBvUBaoFzxImZ8TO6BG9jj60&s=31MLkIrp0zYJNEwwuuw4dJSUUtVLkRMMKkHNNgBuW1c&e=>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=NgK9mfe9eCwFHtpRYHxOBvUBaoFzxImZ8TO6BG9jj60&s=31MLkIrp0zYJNEwwuuw4dJSUUtVLkRMMKkHNNgBuW1c&e=>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
John Schrader
Cloud Platform Services
Cloud Engineer Specialist
University of Notre Dame
EVERYTHING SHOULD BE MADE AS SIMPLE AS POSSIBLE, BUT NOT ANY SIMPLER
—ALBERT EINSTEIN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191210/1b42ad01/attachment.html>
More information about the users
mailing list