Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request.
/etc/httpd/conf.d/sp.conf
ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:
ServerName <your hostname>
The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://[your hostname]:8080/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for AJP traffic on port 8009 (see Tomcat Configuration below). In sp.conf it looks like:
ProxyPass "/shrine-api/" "ajp://[your hostname]:8009/shrine-api/"
The following tells Apache to use Shibboleth for authentication for a number of whitelisted URLs starting with "shrine-api":
<LocationMatch "/shrine-api/(staticData|ontology|qep|steward|shrine-webclient)">
AuthType shibbolethShibRequestSetting requireSession 1Require valid-user local
"ShibUseEnvironment On" tells Shibboleth to make the attributes it collects from the IdP available as request attributes in Tomcat. We also need "ShibUseHeaders On" in order to pass the REMOTE_USER header to the Servlet. see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.
ShibUseEnvironment On
ShibUseHeaders On
</LocationMatch>
Overview
Content Tools