configuring shibboleth on AWS using ELB
Michael A Grady
mgrady at unicon.net
Mon Nov 25 20:10:21 EST 2019
Besides what Scott and Nate have touched on, also be sure you are running a version/distribution of the Shibboleth SP meant for the specific OS base you are using on your AWS instances. I’ve seen folks try to use a CentOS rpm for the SP on Amazon Linux, and that will not lead to good things. As Scott said, really no reason not to still use TLS from the ELB to your instances, but if you choose not to, you’ll still want to “virtualize” on the web server side so the SP will still understand that HTTPS is being used to get to it.
> On Nov 25, 2019, at 6:54 PM, Nate Klingenstein <ndk at signet.id> wrote:
>
> Deirdre,
>
> For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest. It's pretty straightforward: ELB, target groups, and instances, just wired together properly. There's really nothing special about it.
>
> I often do it for single instances just because I like having ELB in between the world and me. It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.
>
> Take care,
> Nate.
>
> --------
>
>
> The Art of Access ®
>
> Nate Klingenstein | Principal
> https://www.signet.id/ <https://www.signet.id/>
>
> -----Original message-----
> From: Deirdre Kirmis
> Sent: Monday, November 25 2019, 4:30 pm
> To: users at shibboleth.net <mailto:users at shibboleth.net>
> Subject: configuring shibboleth on AWS using ELB
>
> Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?
>
> Thanks for any help!
>
> --
>
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://wiki.shibboleth.net/confluence/x/coFAAg>
>
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
>
> This email has been scanned for spam and viruses by Proofpoint Essentials. Click here <https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1574729663-YtXmZOv0bZni&r_address=mgrady%40unicon.net&report=1> to report this email as spam.
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://wiki.shibboleth.net/confluence/x/coFAAg>
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
--
Michael A. Grady
IAM Architect, Unicon, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191125/14f5a533/attachment.html>
More information about the users
mailing list