Shibboleth with AWS Cloudfront

Wessel, Keith kwessel at
Thu Nov 14 09:29:22 EST 2019

No problem, Shannon. The important things are to set handlerSSL to false and cookieProps to http in shibboleth2.xml. If using Apache, you’ll also need to set the Apache ServerName directive to a full https://hostname.tld:443 including the port number so that return URLs are properly constructed in requests sent to the IdP.


From: users <users-bounces at> On Behalf Of Sylvia, Shannon
Sent: Wednesday, November 13, 2019 5:25 PM
To: Shib Users <users at>
Subject: Re: Shibboleth with AWS Cloudfront

Thanks so much.

I have changed the configuration several times, and I believe that I tested allowing http traffic.

I will admit that I know very little about Shibboleth, and I am just becoming familiar with AWS.

I will look at the configuration file again and adjust if needed.

S. Sylvia

From: users <users-bounces at> on behalf of "Wessel, Keith" <kwessel at>
Reply-To: Shib Users <users at>
Date: Wednesday, November 13, 2019 at 6:15 PM
To: Shib Users <users at>
Subject: RE: Shibboleth with AWS Cloudfront

Is your AWS load balancer speaking http instead of https to the web server running the SP? If so, you need to get the SP to accept cookies and traffic from non-HTTPS endpoints.


From: users <users-bounces at> On Behalf Of Sylvia, Shannon
Sent: Wednesday, November 13, 2019 5:10 PM
To: users at
Subject: Shibboleth with AWS Cloudfront

Hello all,

I have spent days trying to understand why simple index.html websites that work fine in our inhouse Linux environment using Shibboleth with the same configuration files goes into a loop when I create the websites on AWS, using AWS Linux 2, AWS Application Load Balancer, CloudFront and Route 53.

It all appears to go through and connect to the Idp, it brings back the Idp metadata.  I am told the Idp is able to update the SP metadata.

It is simply using apache 2.4 on AWS Linux 2 – very straight forward.  It is not using Elastic IPs, so the IP addresses are not fixed.

Does anyone have suggestions for this architecture?

Thanks so much in advance,
S. Sylvia

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list