Versions Compared

Old Version 8

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 9

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:




Code Block
languagexml
themeRDark
ServerName <your hostname>


The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://[your hostname]:8080/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for AJP traffic on port 8009 (see Tomcat Configuration below). In sp.conf it looks like:




Code Block
languagexml
themeRDark
ProxyPass "/shrine-api/" "ajp://[your hostname]:8009/shrine-api/"


The following tells Apache to redirect calls to the bare hostname to landing page


Code Block
languagexml
themeRDark
## hits to just the bare hostname should go to landing page

...


<LocationMatch "^/$">

...


RewriteEngine On

...


RewriteRule .* /shrine-api/shrine-webclient

...


</LocationMatch>

The following tells Apache to use Shibboleth for authentication for a number of whitelisted URLs starting with "shrine-api":


Code Block
languagexml
themeRDark
<LocationMatch "/shrine-api/(staticData|ontology|qep|steward|shrine-webclient)">

...



  AuthType shibboleth

...


  ShibRequestSetting requireSession 1

...


  Require valid-user local

"ShibUseEnvironment On" tells Shibboleth to make the attributes it collects from the IdP available as request attributes in Tomcat. We also need "ShibUseHeaders On" in order to pass the REMOTE_USER header to the Servlet. see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.

  ShibUseEnvironment On

 

Code Block
languagexml
themeRDark
ShibUseEnvironment On

  ShibUseHeaders

...

On


Also: sets no-cache headers, sets isSsoMode cookie, and sets Access-Control-Allow-Origin, which needs to be populated with the correct hostname:

...


Code Block
languagexml
themeRDark
# no caching

...


Header set Cache-Control "no-cache, no-store, must-revalidate"

...


Header set Pragma "no-cache"

...


Header set Expires 0

...



# CORS / Access-Control

...


## ADJUST_FOR_YOUR_SITE:

...


Header set Access-Control-Allow-Origin [your idP's hostname, e.g. my.idp.edu]

...


#

...

Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"

...



# isSsoMode cookie

...


Header set Set-Cookie isSsoMode=true

...



</LocationMatch>