Friday 7 November 2008

Split shibboleth-sp 1.3 configuration

I'm trying to clarify to myself how to configure shibboleth-sp 1.3 on Debian GNU/Linux with two name based virtual hosts.

The problem is: it should redirect user to IdP, but IdP should redirect back to the correct caller.

I'm quite sure on metadata.xml are to appear two entries hardcoded to the sitename.

I'm less sure how to modify shibboleth.xml. Actually the matter is if I should add a Application element inside Applications. Please note this Application is nearly empty, as it inherits the Session and CredentialUse elements.

Ok: it turns out that a Application inside Applications is needed in shibboleth.xml:

<application id="my_id" homeurl="http://my_virtual_host.unimore.it" 
saml="urn:oasis:names:tc:SAML:1.0:assertion" md="urn:oasis:names:tc:SAML:2.0:metadata">
<errors session="/etc/shibboleth/sessionError.html"
metadata="/etc/shibboleth/metadataError.html" rm="/etc/shibboleth/rmError.html"
access="/etc/shibboleth/accessError.html" ssl="/etc/shibboleth/sslError.html"
supportcontact="my_admin@unimore.it" logolocation="/shibboleth-sp/logo.jpg"
stylesheet="/shibboleth-sp/main.css">
   </errors>
</application>

And then a new Host element inside RequestMapper again in shibboleth.xml:

<Host name="my_virtual_host.unimore.it" applicationId="my_id">
 <Path name="secure" authType="shibboleth" requireSession="true"/>

But, surprise surprise, on the metadata.xml it is enought to add two more bindings to <AssertionConsumerService>:

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://my_first_virtual_host.unimore.it/Shibboleth.sso/SAML/POST"
index="1"></AssertionConsumerService> <AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://my_first_virtual_host.unimore.it/Shibboleth.sso/SAML/Artifact"
index="2"></AssertionConsumerService><AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="http://my_second_virtual_host.unimore.it/Shibboleth.sso/SAML/POST"
index="3"></AssertionConsumerService>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="http://my_second_virtual_host.unimore.it/Shibboleth.sso/SAML/Artifact"
index="4"></AssertionConsumerService>
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)