Versions Compared

Old Version 1

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

Since the specifics will depend on how you have things set up, I can only document the scenario I found myself in.

Table of Contents

Same Servers in Cluster, Container-Managed Authentication

...

Code Block
xml
xml
titleExamples of Additional Mappings

    <servlet-mapping>
  
     <servlet-name>IdP</servlet-name>
   
    <url-pattern>/profile/Shibboleth/SSO</url-pattern>
   
</servlet-mapping>
  
 <servlet-mapping>
        <servlet-name>IdP</servlet-name>
   
    <url-pattern>/profile/Shibboleth/HS</url-pattern>
  
 </servlet-mapping>
    <servlet-mapping>

       <servlet-name>IdP</servlet-name>
        <url-pattern>/profile/SAML1/SOAP/AttributeQuery</url-pattern>
    </servlet-mapping>
  • Added an additional <url-pattern> to the set of container-protected paths.

...

Code Block
xml
xml
titleProtocolHandler Expressions

        <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
          
     <Location>https://[^:/]+(:443)?/(shibboleth|idp/profile/Shibboleth)/SSO</Location> <!-- regex works when using default protocol ports -->
       
</ProtocolHandler>
       
<ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
   
            <Location>https://[^:/]+(:443)?/(shibboleth|idp/profile/Shibboleth)/HS</Location>
<!-- regex works when using default protocol ports -->
        </ProtocolHandler>
 
      <ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler">
          
     <Location>.+:8443/(shibboleth/AA|idp/profile/SAML1/SOAP/AttributeQuery)</Location>
        </ProtocolHandler>
       
<ProtocolHandler implementation="edu.internet2.middleware.shibboleth.idp.provider.Shibboleth_StatusHandler">
           
    <Location>https://[^:/]+(:443)?/(shibboleth|idp(/profile)?)/Status</Location>
  
     </ProtocolHandler>

Technically I could have made each one distinct and only authorized the specific paths expected for that copy, but it was simpler just to keep them consistent using the regular expressions.

...

Code Block
xml
xml
titleidp.xml Context Fragment

<Context docBase="${catalina.home}/shibboleth/webapps/shibboleth.war">

    <Parameter name="IdPConfigFile" value="file:///usr/local/shibboleth-idp/
etc/prod/idp.xml" override="false"/>
...
</Context>
Code Block
xml
xml
titleshibboleth.xml Context Fragment

<Context docBase="${catalina.home}/shibboleth/webapps/shibboleth.war">

    <Parameter name="IdPConfigFile" value="file:///usr/local/shibboleth-idp/
etc/prod/shibboleth.xml" override="false"/>
...
</Context>

...

First, there was a bug in the handling of embedded links in various JSP pages served by the IdP. Since these files were already being customized by me, the bug was more a matter of customizing them correctly. The bug is described at https://bugsissues.internet2shibboleth.edunet/jira/browse/SIDPO-31. Fixing this requires making sure any content like style sheets or images that are inside the root of the warfile are referenced with a request.getServletContextgetContextPath() prefix. Examples:

Code Block
titleOld (broken) URL references
<link rel="stylesheet" type="text/css" href="main.css" />
<img src="images/logo.jpg" alt="Logo" />
Code Block
titleFixed versions
<% String base = request.getContextPath(); %>
<link rel="stylesheet" type="text/css" href="<%= base %>/main.css" />
<img src="<%= base %>/images/logo.jpg" alt="Logo" />

The other issue concerned making SSO work, and was caused by the default path property associated with the cookies that the IdP was creating using the authHeaderName="COOKIE" feature. Since I wanted the SSO cookie to be visible to both copies, I needed to modify src/edu/internet2/middleware/shibboleth/idp/provider/SSOHandler.java and add cookie.setPath("/") to the getRemoteUser method.