Skip to:
Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
So, if you are to set the SP to protect / (i.e. in /etc/httpd/conf.d/shib.conf you have:
<Location />
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
...then obviously you can't get to /shibboleth-ds/ without authenticating first. Which requires you to choose an IdP to authenticate at. Which requires the DS. Which requires you to authenticate first. Which requires... You see where I'm going with this!
If /etc/httpd/conf.d/shibboleth-ds.conf is modified to include "Satisfy Any" in its Location block then you tell Apache to effectively ignore any access control directives it has inherited, meaning people can always get to /shibboleth-ds/. So changing the file to a little something like this seems to work nicely:
=====
Basic Apache configuration
Do NOT edit this file with your own settings,
or they will be overwritten during upgrades.
<IfModule mod_alias.c>
<Location /shibboleth-ds>
Satisfy Any
Allow from all
</Location>
Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
Alias /shibboleth-ds/index.html /etc/shibboleth-ds/index.html
</IfModule>
=====
Unless someone else has a reason for this being a stupid thing to do, I would suggest this was the default config to avoid people who do want to protect / breaking the DS by accident.
Regards,
Rhys.