configuring shibboleth on AWS using ELB

Tue Nov 26 16:31:02 EST 2019

I figured out the certs issue…do you mind if I ask if I have set this up correctly? I have an application load balancer, listening on ports 80 and 443, directing to a target group (with currently only 1 EC2 instance registered). I set up the ELB using our AWS wildcard certificate in ACM, and did not configure anything specifically on the EC2 to enforce https and regarding certs (ssl.conf is pointing to the localhost.key and .crt files).  I guess the “wired together properly” part is where I’m stuck. I installed shib, added the Location section for it in ssl.conf, configured shibboleth2.xml with servername and to point to my metadata file, which I got from my host provider (my organization is an IDP). Added shib as an authentication provider.

I see my provider on the login page of my app, but when I try to login I get an error “The login service was unable to identify a compatible way to respond to the requested application. This is generally due to a misconfiguration on the part of the application and should be reported to the application's support team or owner.”

Any ideas what I missed? Thank you!

Deirdre Kirmis
Technology Services
Arizona State University Library
480-965-7240

From: users <users-bounces at shibboleth.net> On Behalf Of Nate Klingenstein
Sent: Monday, November 25, 2019 5:54 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: configuring shibboleth on AWS using ELB

Deirdre,

For what it's worth, we've configured a lot of IdP's and SP's in AWS, including SAMLtest.  It's pretty straightforward: ELB, target groups, and instances, just wired together properly.  There's really nothing special about it.

I often do it for single instances just because I like having ELB in between the world and me.  It doesn't really provide anything that security groups wouldn't other than IP address obfuscation, so it's more of a security blanket than a necessary piece of infrastructure, but hey.

Take care,

Nate.

--------

[Image removed by sender.]

The Art of Access ®

Nate Klingenstein | Principal

https://www.signet.id/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id_&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=DKyXVdvZv_W0BxCMlPe5V6NyJWWVhQZynmMLKEIxOg4&s=PIehe9gqAJbDbVJPUhq8JhjM-UPEkeVHjaz6e2VSOhs&e=>

-----Original message-----
From: Deirdre Kirmis
Sent: Monday, November 25 2019, 4:30 pm
To: users at shibboleth.net
Subject: configuring shibboleth on AWS using ELB

Hi all…prefacing this to say that I am new to AWS and new to configuring shibboleth. I was wondering if anyone has successfully configured shibboleth on an AWS instance that is running https via a load balancer. I installed and configured shib, send/received metadata from my IDP, but when I generate my metadata file, the certs are not included, and the sp-cert.pem and sp-key.pem files did not get created. Do I still need to “configure” https locally on the server, and if so, how, and how do I fix my shib config?

Thanks for any help!

--

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191126/800395ea/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD000.jpg
Type: image/jpeg
Size: 823 bytes
Desc: ~WRD000.jpg
URL: <http://shibboleth.net/pipermail/users/attachments/20191126/800395ea/attachment.jpg>