Versions Compared

Old Version 38

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 39

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ServerName my-shibboleth-sp-host.net

Timeout 300
ProxyTimeout 300

ProxyIOBufferSize 65536

#### serve content from Tomcat
ProxyPassReverse "/shrine-api/" "http://127.0.0.1:8080/shrine-api/"
ProxyPass "/shrine-api/" "http://127.0.0.1:8080/shrine-api/"

# as per https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335062/Apache:
# "You do not have to set UseCanonicalName On, but you usually should ..."
### XH : when set to On, no longer works (???)
UseCanonicalName On

#### whitelist URLs which need to be protected by Shibboleth
<LocationMatch "/shrine-api/">
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require valid-user local
  ShibUseEnvironment Off ## we are only using headers for now
  ShibUseHeaders On
</LocationMatch>

To publish your metadata to your IdP:

  • Email to them, or
  • Place your metadata in a file called sp-metadata.xml in a folder configured in .../httpd.conf, e.g.

DocumentRoot "/var/www/html"

  • And then in sp.conf .........


The following tells Apache to use Shibboleth for authentication of any URL starting with "shrine-api":

#### whitelist URLs which need to be protected by Shibboleth

<LocationMatch "/shrine-api/">

  AuthType shibboleth

  ShibRequestSetting requireSession 1

  Require valid-user local

The following tells Shibboleth to make the attributes it collects from the idP available as request headers in Apache. This is the opposite of what is recommended. However the recommended (and default) setup (ShibUseEnvironment=On and ShibUseHeadersand ShibUseHeaders=Off) requires proxying to Tomcat using the AJP protocol, which we are not using because it is being phased out of Tomcat (we are proxying using the HTTP protocol).

...

  • entityID: the ID of our Service Provider (SP)
  • REMOTE_USER: how REMOTE_USER will be populated. Note that "ecommonsid which is specific to HMS IT, comes first, so REMOTE_USER will be set to its value). Otherwise, the first attribute name that matches an attribute returned by the idP will be used.
  • The sessionHook is the URL of code running on Tomcat. It will run before Shibboleth redirects the user to the wanted URL after the user authenticates. More on this later.

...