Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
EDS doesn't work where SP is protecting /
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
So, if you are to set the SP to protect / (i.e. in /etc/httpd/conf.d/shib.conf you have:
...then obviously you can't get to /shibboleth-ds/ without authenticating first. Which requires you to choose an IdP to authenticate at. Which requires the DS. Which requires you to authenticate first. Which requires... You see where I'm going with this!
If /etc/httpd/conf.d/shibboleth-ds.conf is modified to include "Satisfy Any" in its Location block then you tell Apache to effectively ignore any access control directives it has inherited, meaning people can always get to /shibboleth-ds/. So changing the file to a little something like this seems to work nicely:
=====
Basic Apache configuration
Do NOT edit this file with your own settings,
or they will be overwritten during upgrades.
<IfModule mod_alias.c> <Location /shibboleth-ds> Satisfy Any Allow from all </Location> Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css Alias /shibboleth-ds/index.html /etc/shibboleth-ds/index.html </IfModule> =====
Unless someone else has a reason for this being a stupid thing to do, I would suggest this was the default config to avoid people who do want to protect / breaking the DS by accident.
Regards, Rhys.
Environment
None
Activity
Scott Cantor
January 10, 2015 at 6:19 PM
Added AuthType and moved commands inside Location block. Tested using comparable settings back to Apache 2.0
You are both right of course. I had completely blanked out the existence of src/apache/shibboleth-ds.conf
I'll defer to Scott as to whether we want to make that change to the conf file and indeed what they should be since I'd rather not clutter my mind up with that as well at this stage.
Rhys Rhys
January 5, 2015 at 9:30 AM
Yes, definitely not an SP issue. It's either an EDS config file issue, or documentation for the consequences of (and suggested fix for) requiring a Shib session when protecting / with the EDS also in place. I'm happy either way.
So, if you are to set the SP to protect / (i.e. in /etc/httpd/conf.d/shib.conf you have:
<Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
...then obviously you can't get to /shibboleth-ds/ without authenticating first. Which requires you to choose an IdP to authenticate at. Which requires the DS. Which requires you to authenticate first. Which requires... You see where I'm going with this!
If /etc/httpd/conf.d/shibboleth-ds.conf is modified to include "Satisfy Any" in its Location block then you tell Apache to effectively ignore any access control directives it has inherited, meaning people can always get to /shibboleth-ds/. So changing the file to a little something like this seems to work nicely:
=====
Basic Apache configuration
Do NOT edit this file with your own settings,
or they will be overwritten during upgrades.
<IfModule mod_alias.c>
<Location /shibboleth-ds>
Satisfy Any
Allow from all
</Location>
Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
Alias /shibboleth-ds/index.html /etc/shibboleth-ds/index.html
</IfModule>
=====
Unless someone else has a reason for this being a stupid thing to do, I would suggest this was the default config to avoid people who do want to protect / breaking the DS by accident.
Regards,
Rhys.