0

I have a Shibboleth SP instance on Server 2008 R2 and everything is authenticating fine with the IdP.

I was testing protecting a single page and that is working fine by doing the following in the shibboleth2.xml file:

<Host name="MyUrl.com">
     <Path name="page.jsp" authType="shibboleth" requireSession="true"/>
</Host>

When I go to https://MyUrl.com/page.jsp I get redirected to enter credentials, and then end up back on the page.jsp

Now I found out that I should be protecting the Document Root, but not the entire site.
Basically I need to be authenticated by Shibboleth, and once I am, then I'll get redirected back to the Document Root where a session is set with separate software, I get redirected to a different page and the Document Root will never be used again.

Any help is appreciated

OrangeGrover
  • 585
  • 3
  • 10
  • 24

2 Answers2

0

I do not see an easy way to this with IIS. However...

My recommendation is that you check for the values (the HTTP headers when using IIS) Shibboleth supplies. If they are there all fine. If not you redirect to your login url like

https://MyUrl.com/auth.jsp <---- this is protected by shibboleth

On this url you can set up your application session and if everything is fine you can redirect back to the main page.

cstamas
  • 6,607
  • 24
  • 42
  • I do have a similar workaround in place. I was just hoping that there was a more elegant solution that would allow for a more standard install. – OrangeGrover Sep 29 '12 at 18:40
  • I would not say this is a workaround. Moodle (on apache) use the same method. – cstamas Sep 29 '12 at 19:00
0

How about this?

<Host name="MyUrl.com">
     <PathRegex regex=".*" authType="shibboleth" requireSession="true" />
</Host>

Essentially, a regex to protect the entire root.

Edit #1 - Just saw how old this was... yikes.

TechFanDan
  • 297
  • 1
  • 6
  • 20