Here's a short recipe for deploying a Shibboleth-protected resource behind another Webserver. This may come in handy if you can't modify the proxying (or frontend) webserver, e.g. because it doesn't support DSO, runs on an esoteric platform (AIX, HPUX, etc.) but you still have to integrate some Shibboleth-protected content in its namespace.
The reverse proxy handles all HTTP and HTTPS and speaks plain HTTP to the backend (be sure to use this only on a trusted network), so the Backend is completely invisible (except to the Proxy, of course).
Copying from SPForwardProxy here's a description of the flow of information:
https://mainsite.example.org/secure
;mainsite.example.org
intercepts the request and forwards it internally to backend.example.org/secure
;<Location /secure>
is protected by Shibboleth on the Backend;SHIRE
value of https://mainsite.example.org/Shibboleth.sso/SAML/POST
and target value of https://mainsite.example.org/secure
(with the appropriate providerId
per configuration);/Shibboleth.sso
to the Backend (besides /secure
);https://mainsite.example.org/Shibboleth.sso/SAML/POST
with an authentication assertion;mainsite.example.org
.Any old Apache with mod_proxy
will do.
ProxyPass /Shibboleth.sso/ http://backend.example.org/Shibboleth.sso/ ProxyPassReverse /Shibboleth.sso/ http://backend.example.org/Shibboleth.sso/ ProxyPass /secure/ http://backend.example.org/secure/ ProxyPassReverse /secure/ http://backend.example.org/secure/ |
Apache 2.2 with mod_shib
.
ServerName
set to the scheme, ServerName and Port of the Proxy, see http://httpd.apache.org/docs/2.2/en/mod/core.html#servername
ServerName https://mainsite.example.org:443 |
shibboleth.xml
Hostname
in RequestMap
to "mainsite.example.org
", ignore scheme
and port
.Applications
-> Sessions
set (or leave the default) handlerURL="/Shibboleth.sso"
and set handlerSSL="true"
The Metadata describing the SP's ACS (configured at the IdP) also points to mainsite.example.org
as this is also proxied to the Backend (see above).
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://mainsite.example.org/Shibboleth.sso/SAML/POST"/> <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://mainsite.example.org/Shibboleth.sso/SAML/Artifact"/> |