Versions Compared

Old Version 20

changes.mady.by.user Thomas Lenggenhager

Saved on

compared with

New Version 21

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In contrast, when you divide things by path, you have to explicitly add XML to the configuration to establish a special handlerURL for the new application, as well as providing the necessary metadata. Typically it might look something like this :example. Here, the goal is to establish a separate override for the content inside "/secure/apps/special". In this example the entityID is also being overridden, but that will depend on exactly why you're doing the override.

Code Block
languagexml
titleExample of Path-Based Application Override (shibboleth2.xml)
<RequestMap applicationId="default">
    <Host name="www.example.org">
        <Path name="myappfoldersecure" requireSession="true">
			<Path name="apps">
				<Path name="special" applicationId="myappname"/>example-special"/>
			</Path>
		</Path>
    </Host>
</RequestMap>
...
<ApplicationDefaults ... entityID="https://www.example.org/shibboleth">
...
    <ApplicationOverride id="myappname" entityId="https://www.example.org/special/shibboleth">
        <Sessions lifetime="28800" timeout="3600" checkAddress="false"
			handlerURL="/myappfoldersecure/apps/special/Shibboleth.sso" />
    </ApplicationOverride>
</ApplicationDefaults>

...

Luckily, you do NOT have to actually redefine all of the handler the <Sessions> element's typical child elements. Those will still be inherited, and their locations will be adjusted relative to the new handlerURL you define.

The other key here is to recognize that the handlerURL lives inside the path you set aside for this application to use. It MUST map to the corresponding applicationId, just like any other resources that make makes up the application. It's literally part of the application. If you fail to make that connection, you will typically experience looping behavior or errors involving invalid audience conditions, because the SAML assertion delivered to the incorrectly specified handlerURL will be associated with the wrong application and entityID, usually the "default" one.

...

If the application is intended to function as a new separate logical SP with its own entityID, then all of the information in the previous section still applies, but of course the endpoints would be found in a new metadata instance (<md:EntityDescriptor>) with the new entityID.

...