Apache version should be 2.4.10 or higher so that the local address request field gets populated for use in the back-end code. (see: https://bz.apache.org/bugzilla/show_bug.cgi?id=56661). If it isn't populated the back-end fails with an NPE when looking for the local address in the request.
/etc/httpd/conf.d/sp.conf
ServerName should be set to your SP host's name, for instance my-shibboleth-sp-host.net:
ServerName <your hostname>
The following tells Apache to proxy all calls to URLs starting with "shrine-api" to http://[your hostname]:8080/shrine-api/ over the AJP protocol. Therefore we need to set up Tomcat to listen for AJP traffic on port 8009 (see Tomcat Configuration below). In sp.conf it looks like:
ProxyPass "/shrine-api/" "ajp://[your hostname]:8009/shrine-api/"
The following tells Apache to redirect calls to the bare hostname to landing page
## hits to just the bare hostname should go to landing page
<LocationMatch "^/$">
RewriteEngine On
RewriteRule .* /shrine-api/shrine-webclient
</LocationMatch>
The following tells Apache to use Shibboleth for authentication for a number of whitelisted URLs starting with "shrine-api":
<LocationMatch "/shrine-api/(staticData|ontology|qep|steward|shrine-webclient)">
AuthType shibboleth
ShibRequestSetting requireSession 1
Require valid-user local
"
ShibUseEnvironment On"
tells Shibboleth to make the attributes it collects from the IdP available as request attributes in Tomcat. We also need "ShibUseHeaders On"
in order to pass the REMOTE_USER header to the Servlet. see
https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072327/NativeSPApacheConfig.
ShibUseEnvironment On
ShibUseHeaders On
Also: sets no-cache headers, sets isSsoMode cookie, and sets Access-Control-Allow-Origin, which needs to be populated with the correct hostname:
# no caching
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
# CORS / Access-Control
## ADJUST_FOR_YOUR_SITE:
Header set Access-Control-Allow-Origin [your idP's hostname, e.g. my.idp.edu]
# Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
# isSsoMode cookie
Header set Set-Cookie isSsoMode=true
</LocationMatch>