...
ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:
Code Block |
---|
|
ServerName <your hostname> |
The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://[your hostname]:8080/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for AJP traffic on port 8009 (see Tomcat Configuration below). In sp.conf it looks like:
Code Block |
---|
|
ProxyPass "/shrine-api/" "ajp://[your hostname]:8009/shrine-api/" |
The following tells Apache to redirect calls to the bare hostname to landing page
Code Block |
---|
|
## hits to just the bare hostname should go to landing page |
...
...
...
RewriteRule .* /shrine-api/shrine-webclient |
...
The following tells Apache to use Shibboleth for authentication for a number of whitelisted URLs starting with "shrine-api":
Code Block |
---|
|
<LocationMatch "/shrine-api/(staticData|ontology|qep|steward|shrine-webclient)"> |
...
...
ShibRequestSetting requireSession 1 |
...
"
ShibUseEnvironment On"
tells Shibboleth to make the attributes it collects from the IdP available as request attributes in Tomcat. We also need "ShibUseHeaders On"
in order to pass the REMOTE_USER header to the Servlet. see
https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.
ShibUseEnvironment On
Code Block |
---|
|
ShibUseEnvironment On
ShibUseHeaders |
...
Also: sets no-cache headers, sets isSsoMode cookie, and sets Access-Control-Allow-Origin, which needs to be populated with the correct hostname:
...
...
Header set Cache-Control "no-cache, no-store, must-revalidate" |
...
Header set Pragma "no-cache" |
...
...
...
...
Header set Access-Control-Allow-Origin [your idP's hostname, e.g. my.idp.edu] |
...
...
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" |
...
...
Header set Set-Cookie isSsoMode=true |
...