ContentSetting discoveryURL

Stefan Beck stefan.beck at ulb.tu-darmstadt.de
Mon Feb 24 10:58:51 EST 2020 

Hello,

I have the following situation: On the machine I have two virtual hosts andboth of them shall equipped with Shibboleth. They are designated to have different entityIDs. This works fine, but I have struggles defining differentdiscoveryURL.

According to [1] I do not need to use ApplicationOverride and so I am not using it.
In [2] there is the ContentSetting discoveryURL which I set in apache vhosttogether with entitiyIdSelf. While entityIdSelf is applied, disocveryURL is ignored, i.e. the value defined in shibboleth2.xml is used.

To be more concrete. I run shibd v. 3.0.4 with apache 2.4.25. My sessions part in shibboleth2.xml looks like


<Sessions lifetime="28800"
     timeout="3600"
     relayState="ss:mem"
     checkAddress="false"
     handlerSSL="true"
     cookieProps="https">

     <SSO discoveryProtocol="SAMLDS"
         discoveryURL="https://dissem.in/static/shib/shibboleth-embedded-ds-1.2.2/" >
SAML2
     </SSO>

     <Logout>SAML2 Local</Logout>

     <!-- Administrative logout. -->
     <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />

     <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
     <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

     <!-- Status reporting service. -->
     <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1" />

     <!-- Session diagnostic service. -->
     <Handler type="Session" Location="/Session" showAttributeValues="false"/>

     <!-- JSON feed of discovery information. -->
     <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>

and in the config for the apache vhost, that shall use a different discoveryURL, I have

<Location /Shibboleth.sso>
     setHandler shib
     ShibRequestSetting entityIdSelf https://sp.sandbox.dissem.in/shibboleth
     ShibRequestSetting discoveryURL https://sandbox.dissem.in/static/shib/shibboleth-embedded-ds-1.2.2/
</Location>

When calling, I get:

curl -I https://sandbox.dissem.in/Shibboleth.sso/Login
HTTP/1.1 302 Found
Date: Mon, 24 Feb 2020 14:41:32 GMT
Server: Apache/2.4.25 (Debian)
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Location: https://dissem.in/static/shib/shibboleth-embedded-ds-1.2.2/?entityID=https%3A%2F%2Fsp.sandbox.dissem.in%2Fshibboleth&return=https%3A%2F%2Fsandbox.dissem.in%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A4ef7a1d1b1c50d8a6b7def1c5d3f37f9ec28d028c2828fa4f233ebfbdfdeca25
Content-Type: text/html; charset=iso-8859-1

While the correct entityID (of SP) and return value is given, the URL to where the redirect goes should be https://sandbox.dissem.in/... and not https://dissem.in/...

The shibd logs gives me

shibboleth[19663]: DEBUG Shibboleth.Apache [19663] shib_handler: mapped https://sandbox.dissem.in/Shibboleth.sso/Login to default
shibboleth[19663]: DEBUG Shibboleth.SessionInitiator.SAMLDS [19663] shib_handler [default]: sending request to SAMLDS (https://dissem.in/static/shib/shibboleth-embedded-ds-1.2.2/)
shibboleth[19663]: DEBUG Shibboleth.Listener [19663] shib_handler [default]: sending message (set::RelayState)
shibboleth[19663]: DEBUG Shibboleth.Listener [19663] shib_handler [default]: send completed, reading response message

So the ShibRequestSetting disvoceryURL did not take into effect.

(I also tried with using SessionInitator instead of SSO, but that neither gave success.)

I am not too sure if the above is supposed to work anyway. When I look at [3] I see that there is no remark, that discoveryURL can be set via ContentSetting, while it is mentioned for e.g. entityID. Similar applies to [4] and[5].

Best,
Stefan

[1] https://wiki.shibboleth.net/confluence/display/SP3/ApplicationOverride
[2] https://wiki.shibboleth.net/confluence/display/SP3/ContentSettings
[3] https://wiki.shibboleth.net/confluence/display/SP3/SSO
[4] https://wiki.shibboleth.net/confluence/display/SP3/SessionInitiator
[5] https://wiki.shibboleth.net/confluence/display/SP3/SAMLDS+SessionInitiator

-- 
Stefan Beck
Universitäts- und Landesbibliothek Darmstadt
IT, Forschung und Entwicklung
Projekt Darmstädter Tagblatt | Projekt LaVaH

Tel.: +49 6151 / 16-76294

More information about the users mailing list