ContentSetting discoveryURL

Stefan Beck stefan.beck at
Mon Feb 24 10:58:51 EST 2020


I have the following situation: On the machine I have two virtual hosts andboth of them shall equipped with Shibboleth. They are designated to have different entityIDs. This works fine, but I have struggles defining differentdiscoveryURL.

According to [1] I do not need to use ApplicationOverride and so I am not using it.
In [2] there is the ContentSetting discoveryURL which I set in apache vhosttogether with entitiyIdSelf. While entityIdSelf is applied, disocveryURL is ignored, i.e. the value defined in shibboleth2.xml is used.

To be more concrete. I run shibd v. 3.0.4 with apache 2.4.25. My sessions part in shibboleth2.xml looks like

<Sessions lifetime="28800"

     <SSO discoveryProtocol="SAMLDS"
         discoveryURL="" >

     <Logout>SAML2 Local</Logout>

     <!-- Administrative logout. -->
     <LogoutInitiator type="Admin" Location="/Logout/Admin" acl=" ::1" />

     <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
     <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

     <!-- Status reporting service. -->
     <Handler type="Status" Location="/Status" acl=" ::1" />

     <!-- Session diagnostic service. -->
     <Handler type="Session" Location="/Session" showAttributeValues="false"/>

     <!-- JSON feed of discovery information. -->
     <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

and in the config for the apache vhost, that shall use a different discoveryURL, I have

<Location /Shibboleth.sso>
     setHandler shib
     ShibRequestSetting entityIdSelf
     ShibRequestSetting discoveryURL

When calling, I get:

curl -I
HTTP/1.1 302 Found
Date: Mon, 24 Feb 2020 14:41:32 GMT
Server: Apache/2.4.25 (Debian)
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Content-Type: text/html; charset=iso-8859-1

While the correct entityID (of SP) and return value is given, the URL to where the redirect goes should be and not

The shibd logs gives me

shibboleth[19663]: DEBUG Shibboleth.Apache [19663] shib_handler: mapped to default
shibboleth[19663]: DEBUG Shibboleth.SessionInitiator.SAMLDS [19663] shib_handler [default]: sending request to SAMLDS (
shibboleth[19663]: DEBUG Shibboleth.Listener [19663] shib_handler [default]: sending message (set::RelayState)
shibboleth[19663]: DEBUG Shibboleth.Listener [19663] shib_handler [default]: send completed, reading response message

So the ShibRequestSetting disvoceryURL did not take into effect.

(I also tried with using SessionInitator instead of SSO, but that neither gave success.)

I am not too sure if the above is supposed to work anyway. When I look at [3] I see that there is no remark, that discoveryURL can be set via ContentSetting, while it is mentioned for e.g. entityID. Similar applies to [4] and[5].



Stefan Beck
Universitäts- und Landesbibliothek Darmstadt
IT, Forschung und Entwicklung
Projekt Darmstädter Tagblatt | Projekt LaVaH

Tel.: +49 6151 / 16-76294

More information about the users mailing list