The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
SPReverseProxy
Deploy the Shibboleth SP behind a Reverse Web Proxy
Here's a short recipe for deploying a Shibboleth-protected resource behind another Webserver. This may come in handy if you can't modify the proxying (or frontend) webserver, e.g. because it doesn't support DSO, runs on an esoteric platform (AIX, HPUX, etc.) but you still have to integrate some Shibboleth-protected content in its namespace.
The reverse proxy handles all HTTP and HTTPS and speaks plain HTTP to the backend (be sure to use this only on a trusted network), so the Backend is completely invisible (except to the Proxy, of course).
Copying from SPForwardProxy here's a description of the flow of information:
- Browser attempts to access
https://mainsite.example.org/secure; - Proxy at
mainsite.example.orgintercepts the request and forwards it internally tobackend.example.org/secure; - The
<Location /secure>is protected by Shibboleth on the Backend; - The Shibboleth installation on the backend also intercepts the request and generates a redirect with a
SHIREvalue ofhttps://mainsite.example.org/Shibboleth.sso/SAML/POSTand target value ofhttps://mainsite.example.org/secure(with the appropriateproviderIdper configuration); - Proxy also proxies
/Shibboleth.ssoto the Backend (besides/secure); - Browser user authenticates and bounces back to
https://mainsite.example.org/Shibboleth.sso/SAML/POSTwith an authentication assertion; - Backend gets the the request from
mainsite.example.org. - Backend queries for attributes, applies auth/z logic and generates and returns the page per usual.
Apache Proxy
Any old Apache with mod_proxy will do.
ProxyPass /Shibboleth.sso/ http://backend.example.org/Shibboleth.sso/ ProxyPassReverse /Shibboleth.sso/ http://backend.example.org/Shibboleth.sso/ ProxyPass /secure/ http://backend.example.org/secure/ ProxyPassReverse /secure/ http://backend.example.org/secure/
Backend
Apache
Apache 2.2 with mod_shib.
- UseCanonicalName On
ServerNameset to the scheme, ServerName and Port of the Proxy, see http://httpd.apache.org/docs/2.2/en/mod/core.html#servernameServerName https://mainsite.example.org:443
shibboleth.xml
- set
HostnameinRequestMapto "mainsite.example.org", ignoreschemeandport. - in
Applications->Sessionsset (or leave the default)handlerURL="/Shibboleth.sso"and sethandlerSSL="true"
Metadata
The Metadata describing the SP's ACS (configured at the IdP) also points to mainsite.example.org as this is also proxied to the Backend (see above).
<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://mainsite.example.org/Shibboleth.sso/SAML/POST"/> <AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://mainsite.example.org/Shibboleth.sso/SAML/Artifact"/>