Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request.
/etc/httpd/conf.d/sp.conf
ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:
ServerName shrine-sso-node01.catalyst.harvard.edu
The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://127.0.0.1:8009/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for AJP traffic on port 8009 (see Tomcat Configuration below). In sp.conf it looks like:
ProxyPass "/shrine-api/" "ajp://<YOUR_HOST>:8009/shrine-api/". (TODO: does it really have to use <YOUR_HOST> instead of 127.0.0.1? in any case need to match line above)
The following tells Apache to use Shibboleth for authentication for any URL starting with "shrine-api":
<LocationMatch "/shrine-api/">AuthType shibbolethShibRequestSetting requireSession 1Require valid-user local
"ShibUseEnvironment On" tells Shibboleth to make the attributes it collects from the IdP available as request attributes in Tomcat. This is recommended over using the "ShibUseHeaders On" option which makes Shibboleth send the information as request headers. see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.
ShibUseEnvironment On
ShibUseHeaders Off
</LocationMatch>
Overview
Content Tools