How to configure ACS URL in proxy scenario
Sternath, Elmar
elmar.sternath at siemens.com
Wed Apr 22 15:47:31 EDT 2020
Dear experts,
I would like to host an application protected by Shibboleth SP behind a reverse proxy, like so:
https://samltest.example.org:4433/mySAMLTest -> https://samltest.example.org/mySAMLTest
The reverse proxy is an Apache, the application an IIS site hosted on port 443.
However, I do not get the ACS URL set properly in the SAML request. The SAML request always contains the ACS URL without the port number.
What I have tried already in shibboleth2.xml:
<Site id="3" name="samltest.example.org" scheme="https" port="4433" />
combined with
<RequestMap>
<Host name="samltest.example.org" scheme="https" port="4433" >
<Path name="mySAMLTest" authType="shibboleth" requireSession="true"/>
</Host>
Result: /mySAMLTest is not protected any more
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" handlerURl="https://samltest.example.org:4433/Shibboleth.sso" cookieProps="https">
Result: ACS URL https://samltest.example.org:4433/Shibboleth.sso/SAML2/POST is set properly, but when the IdP redirects to it, it returns error 404
<Handler type="MetadataGenerator" Location="/Metadata" signing="false">
<EndpointBase>https:// samltest.example.org:4433/Shibboleth.sso</EndpointBase<https://%20samltest.example.org:4433/Shibboleth.sso%3c/EndpointBase>>
</Handler>
Result: ACS URL in Metadata file is set properly, but in the SAML request the port number is still missing.
>From my understanding, I have to tell the Shibboleth SP somehow to add the port number to the ACS URL when creating the SAML request, I am just not able to figure out how.
Any help would be very much appreciated.
Thanks in advance and br,
Elmar
Here is the whole shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
clockSkew="180">
<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
<Extensions>
<Library path="plugins.so" fatal="true"/>
</Extensions>
</OutOfProcess>
<InProcess>
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="3" name="samltest.example.org"/>
</ISAPI>
</InProcess>
<RequestMapper type="Native">
<RequestMap>
<Host name="samltest.example.org">
<Path name="mySAMLTest" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
<ApplicationDefaults entityID="https://samltest.example.org:4433/shibboleth"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" signing="true">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
<SSO entityID="https://idp.example.org"
discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
SAML2
</SSO>
<Logout>SAML2 Local</Logout>
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<Handler type="MetadataGenerator" Location="/Metadata" signing="false">
<EndpointBase>https://samltest.example.org:4433/Shibboleth.sso</EndpointBase>
</Handler>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root at localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" validate="true"
url="https://idp.example.org/pf/federation_metadata.ping?PartnerSpId=https://samltest.example.org:4433/shibboleth" backingFilePath="metadata-saml20.xml" maxRefreshDelay="7200"/>
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" use="signing"
key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200422/ad67ae8d/attachment.html>
More information about the users
mailing list