Configuring Apache 2.4 with Shibboleth SP 3.0.4

Christopher J. Hinkle chinkle at netlinkrg.com
Thu Mar 26 10:49:31 EDT 2020 

I'm implementing Shibboleth because I am trying to migrate away from AD FS.  Currently my AD FS configuration requires the use of a proxy server.  I've had to keep that same proxy server hostname for compatibility with the IdP, but I'm running both hostnames on the same machine in different VirtualHosts.  So Shibboleth is configured to use the secure certificates for the proxy hostname, and it does its authentication just fine, and redirects back to the application URL post-authentication.  I thought this might be a problem with establishing the session, but when I used the /Shibboleth.sso/Session handler from the application URL and saw that the session had been established, I figured that everything was okay.

To test this, I tried including the AuthType and Require directives in this other VirtualHost and examining the results form a test PHP page; I didn't see any difference in behavior.  If it would be useful to see the full configuration files, I can redact and post those.

On the Require directive, yes, that makes sense that the error has nothing to do with passing the info.  I was responding to Spencer's question there.  I'm still baffled why the authn_core module doesn't recognize the mod_shib.so module as having been loaded, since it kind of obviously is.  I wonder if there's some version compatibility issue I'm missing or some basic configuration thing.

Answering your previous question, this is a standalone server, not load balanced.

With apologies for top-posting (and more apologies for still using Outlook which requires me to do so),
chris.

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday 26 March 2020 10:10
To: Shib Users <users at shibboleth.net>
Subject: Re: Configuring Apache 2.4 with Shibboleth SP 3.0.4

On 3/26/20, 10:05 AM, "users on behalf of Christopher J. Hinkle" <users-bounces at shibboleth.net on behalf of chinkle at netlinkrg.com> wrote:

> Now, there is a separate VirtualHost that talks to the IdP

What do you mean by that?

> but it seems like if I use my application’s VirtualHost to query the Shibboleth Status and Session outputs, that should 
> indicate that the information would be available somehow to pass to the PHP application

The error doesn't have anything to do with passing data to the application, it's an Apache authorization directive failure. Require commands in 2.4 are all handled by a core module that dispatches the handling of rules to the modules that define them. That happens before any application logic runs, and is independent of whether the SP would populate any information into the request.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list