Versions Compared

Old Version 40

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 41

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ServerName should be set to your SP host's address/name, for instance my-shibboleth-sp-host.net:

ServerName my-shibboleth-sp-host.net

## ADJUST_FOR_YOUR_SITE (ServerName)
ServerName shrine-sso-node01.catalyst.harvard.edu

...

The following tells Apache to proxy all calls to a URL starting with "shrine-api" to

http://127.0.0.1:8080/shrine-api

...

/. Therefore we need to set up Tomcat to listen for HTTP traffic on port 8080

#### serve content from Tomcat
ProxyPassReverse

/127.0.0.1:8080/shrine-api/"
# as per https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335062/Apache:
# "You do not have to set UseCanonicalName On, but you usually should ..."
### XH : when set to On, no longer works (???)
UseCanonicalName On
#### whitelist URLs which need to be protected by Shibboleth
<LocationMatch

"/shrine-api/"

>
AuthType shibboleth
 ShibRequestSetting requireSession 1
 Require valid-user local
 ShibUseEnvironment Off ## we are only using headers for now
 ShibUseHeaders On
</LocationMatch>

"http://127.0.0.1:8080/shrine-api/"
ProxyPass "/shrine-api/" "http://127.0.0.1:8080/shrine-api/"

The following tells Apache to use Shibboleth for authentication of for any URL starting with "shrine-api":

### require SSO login for all URLs containing "shrine-api"#### whitelist URLs which need to be protected by Shibboleth
<LocationMatch "/shrine-api/">
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require valid-user local

The following tells Shibboleth to make the attributes it collects from the idP available as request headers in Apache. This is the opposite of what is recommended. However the recommended (and default) setup (ShibUseEnvironment=On and ShibUseHeaders=Off) requires proxying to Tomcat using the AJP protocol, which we are not using because it is being phased out of Tomcat (so we are proxying using the HTTP protocol).

  # as per https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig,

  # ShibUseEnvironment is strongly favored over ShibUseHeaders

  ShibUseEnvironment Off

  ShibUseHeaders On

</LocationMatch>

Shibboleth Configuration

Shibboleth consists of a Daemon plus an apache module. This Apache module must be configured for Shibboleth to intercept certain requests. When a request is intercepted, Shibboleth will decide whether the user (1) needs to login at the configured idP (which will present a login form to the user), or (2) is already logged in (and Shibboleth will let the request be served as if it wasn't there to intercept it)

...

Tomcat should accept requests on port 8080 only from localhost. Something like?:

<Connector port="8080" protocol="HTTP/1.1"

...