| Warning | ||
|---|---|---|
| ||
You should review this page and the htaccess page thoroughly because Apache 2.4 is much more complicated than earlier versions. In particular, if you're trying to combine Shibboleth with other authentication schemes (like Basic), you may need to enable the |
...
It's critical that you correctly configure the virtual hosts you will be using with the SP module by setting the ServerName command to the appropriate value. With Apache 2.x, you use this command to establish the proper hostname as well as the logical scheme and port the virtual host appears to run on from the client's point of view. If you fail to perform this step, the redirects generated by the module will be incorrect and various problems will ensue. Other related commands (varying by version) include UseCanonicalName and UseCanonicalPhysicalPort. Before you do anything with the SP, do the work to get these commands working for you to enable proper generation of redirects.
You should usually set UseCanonicalName On for two reasons. do not have to set UseCanonicalName On, but you usually should for two reasons:
First, it's usually necessary to ensure that the redirects generated by the module are not affected by the client's choice of name (e.g., via use of /etc/hosts to map a custom hostname to the server). Failure to do this will often result in requests to the IdP with an unregistered response location that will be rejected there. There are ways around this but they're beyond the scope of this topic and depend on the IdP's cooperation.
Second, it's necessary to enable this option if you plan to use the <RequestMapper> feature in the SP configuration. Failure to do so will render your system vulnerable to trivial attacks. If for some reason you don't want to turn the option on, do NOT use the <RequestMapper> feature to determine how to protect content. Generally you don't have to use that feature with Apache and the coupling to the canonical name option is the main reason it's not recommended.
Finally, on non-Windows systems you should make sure Apache is configured in so-called "worker" mode, using the "worker" MPM, either via a setting in an OS-supplied file like /etc/sysconfig/httpd or in the Apache configuration directly. Many servers come incorrectly configured in "prefork" mode, which emulates Apache 1.3's process model and causes vastly greater resource usage inside the shibd daemon.
...
| Note | ||
|---|---|---|
| ||
You MUST supply the |
One of the "quirks" (I would say "bugs") in Apache is that it requires a complicated set of inter-related general commands to be in place in order for an "auth" module to actually "see" a request. Just because you load the module doesn't mean Apache will ever call on it to do any work. This can make things confusing; if you see Apache just serving up content and the SP seems to be ignoring the requests, the lack of these commands in place is is usually the problem.
...