shib session not accepted for vhosts with different IPs

Peter Schober peter.schober at univie.ac.at
Thu Aug 13 19:38:00 UTC 2020


* Sternath, Elmar <elmar.sternath at siemens.com> [2020-08-07 14:41]:
> The first one serves one Apache instance with two vhosts, each of
> them with a different IP. [...]
> Are there any known issues with two vhosts with two different IPs
> hosted on one Apache?

IP-based vhosting vs. name-based vhosting shouldn't matter.
(The exhaustion of globally routable IPv4 addresses and the lack of
update of IPv6 essentially to me means IP-based vhosting is pointless
and a waste, but YMMV and the Shib SP shouldn't care either way.)

> This setup works fine if the first vhost is activated and the second
> vhost is deactivated (commented out). However, when the second vhost
> is activated and the first vhost deactivated, the whole SAML traffic
> looks fine including the SAML response, shibsession and opensaml_req
> cookies, but when after successful authentication the protected
> resource is called, Shibboleth doesn't seem to accept the incoming
> session and redirects the user back to the IdP with a new SAML
> request, ending up in an endless loop.

Misconfigured web server? You're not being overly specific about your
config.
There's some documentation on looping but maybe you've seen it already:
https://wiki.shibboleth.net/confluence/display/SP3/Looping

> The second one serves two separate Apache instances with one vhost each.
> 
> In this scenario Shibboleth works without any problems, no matter if
> the first or the second vhost or both vhosts (using
> ApplicationOverride) are activated.

The system that works raises two red flags for me (two separate Apache
httpd servers on one system; use of ApplicationOverride) but since
that's the one that's fine there's no point in commenting further.

-peter


More information about the users mailing list