shib session not accepted for vhosts with different IPs
peter.schober at univie.ac.at
Thu Aug 13 19:38:00 UTC 2020
* Sternath, Elmar <elmar.sternath at siemens.com> [2020-08-07 14:41]:
> The first one serves one Apache instance with two vhosts, each of
> them with a different IP. [...]
> Are there any known issues with two vhosts with two different IPs
> hosted on one Apache?
IP-based vhosting vs. name-based vhosting shouldn't matter.
(The exhaustion of globally routable IPv4 addresses and the lack of
update of IPv6 essentially to me means IP-based vhosting is pointless
and a waste, but YMMV and the Shib SP shouldn't care either way.)
> This setup works fine if the first vhost is activated and the second
> vhost is deactivated (commented out). However, when the second vhost
> is activated and the first vhost deactivated, the whole SAML traffic
> looks fine including the SAML response, shibsession and opensaml_req
> cookies, but when after successful authentication the protected
> resource is called, Shibboleth doesn't seem to accept the incoming
> session and redirects the user back to the IdP with a new SAML
> request, ending up in an endless loop.
Misconfigured web server? You're not being overly specific about your
There's some documentation on looping but maybe you've seen it already:
> The second one serves two separate Apache instances with one vhost each.
> In this scenario Shibboleth works without any problems, no matter if
> the first or the second vhost or both vhosts (using
> ApplicationOverride) are activated.
The system that works raises two red flags for me (two separate Apache
httpd servers on one system; use of ApplicationOverride) but since
that's the one that's fine there's no point in commenting further.
More information about the users