Versions Compared

Old Version 90

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 91

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IdP (Identity Provider): A web-based system that can authenticate a user on behalf of another system called SP (for Service Provider).

...

Note: Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661)

/etc/httpd/conf.d/sp.conf

ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:

...

The following tells Apache to proxy all calls to a URL starting with "shrine-api" to http://127.0.0.1:80808009/shrine-api/. Therefore we need to set up Tomcat to listen for HTTP traffic on port 8080 8009 (see Tomcat Configuration below)

ProxyPassReverse ProxyPass "/shrine-api/" "httpajp://127.0.0.1:8080<YOUR_HOST>:8009/shrine-api/"
ProxyPass "/.

The following tells Apache to use Shibboleth for authentication for any URL starting with "shrine-api

...

"

...

:

...

The following tells Apache to use Shibboleth for authentication for any URL starting with "shrine-api":

<LocationMatch "/shrine-api/">
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require valid-user local

The following tells Shibboleth to make the attributes it collects from the IdP available as request headersattributes in Apache. This is the opposite of what is recommended, i.e. the Shibboleth documentation says that ideally ShibUseEnvironment should be On (resulting in request attributes) and ShibUseHeaders should be Off. However the recommended setup requires proxying to Tomcat using the AJP protocol, which we are not using because it is being phased out of Tomcat (so we are proxying using the HTTP protocol). Also, recommended over using the ShibUseHeaders option. see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.

  ShibUseEnvironment OffOn

  ShibUseHeaders OnOff

</LocationMatch>

Shibboleth Configuration

...