Application Override: no valid session
Hoorn, R. van der (Robbert)
R.vanderHoorn at dictu.nl
Wed Aug 24 12:27:46 UTC 2022
I am experimenting with Application Override. To start testing, I have an override that would normally do the same thing as my default application. But after authenticating, I do not get a valid session on the override handler, but I do on the standard handler. What may be wrong here?
In my apache config, I have these entries:
For my default app
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId default
require valid-user
ShibUseHeaders On
</Location>
For my eherkenning app:
<Location /eherkenning>
AuthType shibboleth
ShibRequestSetting requireSession 1
ShibRequestSetting applicationId eherkenning
require valid-user
ShibUseHeaders On
</Location>
<Location /Shibboleth.sso>
AuthType None
Require all granted
</Location>
<Location /eherkenning/Shibboleth.sso>
AuthType None
Require all granted
</Location>
And in my shibboleth2.xml:
<ApplicationDefaults entityID="urn:nl-eid-gdi:1.0:DV:00000003273785290000:entities:9221"
REMOTE_USER="eppn persistent-id targeted-id"
signing="true" encryption="true"
>
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure">
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" validUntil="31536000">
<md:AttributeConsumingService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" index="1">
<md:ServiceName xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xml:lang="nl-NL">Robbert test 1</md:ServiceName>
<ds:RequestedAttribute xmlns:md="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns:ds="urn:oasis:names:tc:SAML:2.0:metadata" Name="urn:nl-eid-gdi:1.0:ServiceUUID"> <md:AttributeValue xmlns:md="urn:oasis:names:tc:SAML:2.0:assertion" xsi:type="xsd:string">34a0e906-bcf4-4146-b043-36a3f04831b5</md:AttributeValue>
</ds:RequestedAttribute>
</md:AttributeConsumingService>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
</Handler>
<Handler type="Status" Location="/Status"/>
<Handler type="Session" Location="/Session" showAttributeValues="true"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
<SessionInitiator type="SAML2" Location="/Login" entityID="urn:nl-eid-gdi:1.0:RD:00000004000000149000:entities:9003" acsByIndex="true" acsIndex="3" >
<samlp:AuthnRequest ID="eherkenning" Version="2.0" IssueInstant="2012-01-01T00:00:00Z">
</samlp:AuthnRequest>
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
</Sessions>
<RelyingParty type="SAML2" KeyName="9ea178c2980ff7a9d99e54c504de4ff94e6701a4" Name="urn:nl-eid-gdi:1.0:RD:00000004000000149000:entities:9003" attributeIndex="1" signing="true" />
<MetadataProvider type="XML" validate="true" path="/etc/shibboleth/idp-metadata.xml">
<!-- <MetadataFilter type="Signature" certificate="certs/cacert.pem"/> -->
</MetadataProvider>
<AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="tstshibtvs.rvo.nl.key" certificate="tstshibtvs.rvo.nl.crt" use="encryption" />
<CredentialResolver type="File" key="tstshibtvs.rvo.nl.key" certificate="tstshibtvs.rvo.nl.crt" use="signing" />
<ApplicationOverride id="eherkenning" entityID="urn:nl-eid-gdi:1.0:DV:00000003273785290000:entities:9221" >
<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/eherkenning/Shibboleth.sso"
relayState="ss:mem" handlerSSL="true" cookieProps="; path=/eherkenning; secure">
<SessionInitiator type="SAML2" Location="/Login" entityID="urn:nl-eid-gdi:1.0:RD:00000004000000149000:entities:9003" acsByIndex="true" acsIndex="3" >
</SessionInitiator>
</Sessions>
</ApplicationOverride>
</ApplicationDefaults>
Regards,
Robbert
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u
niet de geadresseerde bent of dit bericht abusievelijk aan u is gezonden,
wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen.
De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard
ook, die verband houdt met risico's verbonden aan het elektronisch
verzenden van berichten.
This message may contain information that is not intended for you. If you
are not the addressee or if this message was sent to you by mistake, you
are requested to inform the sender and delete the message.
The State accepts no liability for damage of any kind resulting from the
risks inherent in the electronic transmission of messages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220824/e0fd3156/attachment.htm>
More information about the users
mailing list