Enable Shibboleth for Single SSL Virtual host on server with many vhosts

Question

We have a RHEL 5.5 server in production with a few NameBasedVirtual hosts listening on port 80.

We have also have two (possibly mis-configured) SSL virtual hosts which use different Sockets as required by the Apache & the SSL protocol:

• https://redcap-test.xyz.org
• https://jira.xyz.org

I am attempting to shibbolize only https://redcap-test.xyz.org.

After installing shibboleth 2.0 and configuring for a test identity provider, Shibboleth appears to be working on https://redcap.xyz.org.

Unfortunately, when i hit https://jira.xyz.org it also attempts to use shibboleth and throws an error.

Please note that jira.xyz.org and redcap-test.xyz.org worked fine using this configuration until I installed shibboleth.

Is there some obvious place to enable or disable shibboleth on a per vhost basis?

Does anyone see any glaring mistakes in my virtual hosts, available here:

• http://pastebin.com/M8175j51

Or my shibboleth configuration:

• http://pastebin.com/PwwTp7Xw

EDIT 1: I'm thinking maybe I can specify whether to use Shibboleth or not using the AuthType derivative...still looking for documentation on this.

Answer 1

You need to use a certificate that is issued for both domains using subjectAltName. See also: http://wiki.cacert.org/VhostTaskForce

Answer 2

From the apache configuration you've posted, it appears that you've ended up with shibboleth enabled globally rather than within the virtual host you want it to work in. I say "appears", since neither AuthType nor Require appear in the file you've posted, which implies to me that the authorization is set up globally under mods-enabled/shib.conf (or something similar). You'll need to move the authorization bits from that file to the <VirtualHost> directive you want Shibboleth enabled on (or a <Location> or <Directory> directive within that vhost).