configuring shibboleth on AWS using ELB
Nate Klingenstein
ndk at sudonym.me
Tue Nov 26 16:56:05 EST 2019
ACM certs are totally fine for TLS(be sure to use 1.2) but should be
dedicated per target group/external facing DNS name. They should also be
different from the SP's own encryption certificate(s). The certificates
generated during Shibboleth installation should be fine for production use,
but you can make your own if you'd prefer.
The important thing is to keep data private by avoiding plain HTTP and
wildcard certificates when possible and using encryption, as well as
figuring out where the error is.
On Tue, Nov 26, 2019, 2:48 PM Deirdre Kirmis <Deirdre.Kirmis at asu.edu> wrote:
> Thanks, Nate. You did suggest creating the SSL certs locally, which is
> what I will try next. I had already gotten so far with the ACM certs that I
> was trying to make that work first, but not really having luck. I’ll try
> your suggestions.
>
>
>
> Deirdre Kirmis
>
> Technology Services
>
> Arizona State University Library
>
> 480-965-7240
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Nate
> Klingenstein
> *Sent:* Tuesday, November 26, 2019 2:41 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: configuring shibboleth on AWS using ELB
>
>
>
> Deirdre,
>
>
>
> Beware the wildcard certificate, especially as ACM is effectively free and
> zero maintenance. The domain in the cookie and the certificate used for
> encryption to the SP are more important, but it's wise to use dedicated TLS
> certificates anyway.
>
>
>
> I wouldn't have ELB listen on port 80, but instead write a redirect rule.
>
>
>
> The error doesn't sound like a Shibboleth error. Try going to
> /Shibboleth.sso/Session. I suspect it's not integrated right with the
> application or not receiving the right data in the assertion even though
> the SAML transaction is probably successful.
>
>
>
> Best wishes,
>
> Nate.
>
>
>
> On Tue, Nov 26, 2019, 2:31 PM Deirdre Kirmis <Deirdre.Kirmis at asu.edu>
> wrote:
>
> I figured out the certs issue…do you mind if I ask if I have set this up
> correctly? I have an application load balancer, listening on ports 80 and
> 443, directing to a target group (with currently only 1 EC2 instance
> registered). I set up the ELB using our AWS wildcard certificate in ACM,
> and did not configure anything specifically on the EC2 to enforce https and
> regarding certs (ssl.conf is pointing to the localhost.key and .crt
> files). I guess the “wired together properly” part is where I’m stuck. I
> installed shib, added the Location section for it in ssl.conf, configured
> shibboleth2.xml with servername and to point to my metadata file, which I
> got from my host provider (my organization is an IDP). Added shib as an
> authentication provider.
>
>
>
> I see my provider on the login page of my app, but when I try to login I
> get an error “The login service was unable to identify a compatible way to
> respond to the requested application. This is generally due to a
> misconfiguration on the part of the application and should be reported to
> the application's support team or owner.”
>
>
>
> Any ideas what I missed? Thank you!
>
>
>
> Deirdre Kirmis
>
> Technology Services
>
> Arizona State University Library
>
> 480-965-7240
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Nate
> Klingenstein
> *Sent:* Monday, November 25, 2019 5:54 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* RE: configuring shibboleth on AWS using ELB
>
>
>
> Deirdre,
>
>
>
> For what it's worth, we've configured a lot of IdP's and SP's in AWS,
> including SAMLtest. It's pretty straightforward: ELB, target groups, and
> instances, just wired together properly. There's really nothing special
> about it.
>
>
>
> I often do it for single instances just because I like having ELB in
> between the world and me. It doesn't really provide anything that security
> groups wouldn't other than IP address obfuscation, so it's more of a
> security blanket than a necessary piece of infrastructure, but hey.
>
>
>
> Take care,
>
> Nate.
>
>
>
> --------
>
>
>
> [image: Image removed by sender.]
>
> The Art of Access *®*
>
>
>
> *Nate Klingenstein* | Principal
>
> https://www.signet.id/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.signet.id_&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=DKyXVdvZv_W0BxCMlPe5V6NyJWWVhQZynmMLKEIxOg4&s=PIehe9gqAJbDbVJPUhq8JhjM-UPEkeVHjaz6e2VSOhs&e=>
>
>
>
> -----Original message-----
> *From:* Deirdre Kirmis
> *Sent:* Monday, November 25 2019, 4:30 pm
> *To:* users at shibboleth.net
> *Subject:* configuring shibboleth on AWS using ELB
>
> Hi all…prefacing this to say that I am new to AWS and new to configuring
> shibboleth. I was wondering if anyone has successfully configured
> shibboleth on an AWS instance that is running https via a load balancer. I
> installed and configured shib, send/received metadata from my IDP, but when
> I generate my metadata file, the certs are not included, and the
> sp-cert.pem and sp-key.pem files did not get created. Do I still need to
> “configure” https locally on the server, and if so, how, and how do I fix
> my shib config?
>
>
>
> Thanks for any help!
>
>
>
> --
>
>
>
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=sqANvdo-pk4xMc-5_iT2zb4zkizPauGoywFExzSpVTM&s=kIf-cAbo_9TAnkon9__fNxvH0qm7mV0Y4cv_LoMrPJU&e=>
>
>
>
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwMFaQ&c=l45AxH-kUV29SRQusp9vYR0n1GycN4_2jInuKy6zbqQ&r=X1YAM2yWs1HIcWRXyPCSUtCKxhQO748y834uz5ZFnTY&m=sqANvdo-pk4xMc-5_iT2zb4zkizPauGoywFExzSpVTM&s=kIf-cAbo_9TAnkon9__fNxvH0qm7mV0Y4cv_LoMrPJU&e=>
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191126/2cec703e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20191126/2cec703e/attachment.jpg>
More information about the users
mailing list