1

I am wondering if it is possible to only have one Shibboleth Service Provider (SP) if you pass requests to all your sites through one reverse proxy (with SSL offloading, etc.).

So, let's say I have the following sites at different domains:

example.org
blog.example.org
wiki.example.org

The sites themselves and their respective Webserver all reside in their own VM and cannot communicate with the outside directly. I have another VM that only runs a reverse proxy for all those domains and passes requests forth to the webserver at the respective VM. Let's call that reverse proxy proxy.example.org (note that that wouldn't be an accessible domain name).

Now instead of configuring a SP for each site I'd like to install it only on proxy.example.org, configuring it so that each request to

example.org/secure
blog.example.org
wiki.example.org

will trigger a Shibboleth authentication. After a successful auth the request gets passed on. Is that possible?

I am asking as I only found this resource https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy which I find very ambiguous, as it only says

  • The location /secure on the resource is protected by a Shibboleth SP
  • The Shibboleth SP intercepts the request and generates a SAML2 AuthnRequest with an AssertionConsumerServiceURL of https://proxy.example.org/Shibboleth.sso/SAML2/POST

So I don't really know where the SP('s) have to be installed...

alex
  • 417
  • 1
  • 7
  • 10

1 Answers1

2

Yes it is possible. I configured a single Shib Proxy some years ago. Here is all the documentation i wrote back then (its a setup on Solaris, some thing may be different on Linux). You will need a Server which holds the Application you want to protect and a Proxy Server with the Shibboleth stuff and some Proxy rules on it.

  • Install Zone (or Linux Server) (Will be used as Shibboleth Proxy)
  • Compile Shib Daemon (or just install it on linux)
  • Register Host in IDP Shib AAI Registry
  • Check the daemon configuration: shibd -t -c /opt/AAI/etc/shibboleth/shibboleth2.xml
  • After installing the daemon, we have to configure it for "proxy" use. But first, we want to test our initial setup. Open the file shibboleth2.xml and look for bad URL's in the file. Everything should point to your site. Search for Handler type="Status" and remove the ACL's at the end. Your Handler should look like: <Handler type="Status" Location="/Status" />
  • Now you can point your browser to the Status page, http://DOMAIN/Shibboleth.sso/Status. If you see XML output, everything is fine. If not, check your shibboleth configuration.
  • Now on to Apache Webserver: Test a single php or html file to ensure apache works as expected. Set up the application which you want to secure with the proxy (This will be on a different Server). Dont forget to edit the firewall and allow access from the (AAI) proxy to the webserver.
  • Now we Add a new Service (this is done on the AAI Proxy):
    • Create a new CNAME that points to the shibboleth (aai) proxy server
    • Log in to the aai proxy server via ssh
    • Edit shibboleth2.xml: Add a new application override. Copy this stub <ApplicationOverride id="<APP NAME>" entityID="https://<DOMAIN>/shibboleth" />
    • Replace APP NAME and DOMAIN
    • Edit /opt/csw/apache2/etc/extra/httpd-vhosts.conf (Will be different on linux)
    • Add a new vhost.

  • Copy this stub

    NameVirtualHost IPADDR:80
<VirtualHost IPADDR:80>
    ServerName DOMAIN
    ServerAdmin foor@bar.com
    Redirect / https://DOMAIN/
    ErrorLog var/log/aai.error.log
    CustomLog var/log/aai.access.log common
</VirtualHost>
<VirtualHost IPADDR:443>
    ServerName DOMAIN
    ServerAdmin foor@bar.com
    # The Shibboleth handler shall process all HTTPS requests...
    <Location />
        Order deny,allow
        Allow from all
        AuthType shibboleth
        ShibRequestSetting applicationId APPNAME
        ShibUseHeaders On
        Require shibboleth
    </Location>
    # ...but only enforce a Session for the location below.
    <Location /secure>
        AuthType shibboleth
        ShibRequireSession On
        ShibRequestSetting applicationId APPNAME
        ShibUseHeaders On
        Require valid-user
    </Location>
    SSLEngine On
    SSLCertificateFile etc/server.crt
    SSLCertificateKeyFile etc/server.key
    SSLCertificateChainFile etc/server-ca.crt
    SSLProxyEngine on
    ProxyRequests off
    ProxyPass /secure https://WEBSERVERURL
    ProxyPassReverse /secure https://WEBSERVERURL
    ProxyPreserveHost On
    ErrorLog var/log/APPNAME.error.log
    CustomLog var/log/APPNAME.access.log common
</VirtualHost>

    • Replace APP NAME, WEBSERVER URL, IP ADDR and DOMAIN, you will have to change the paths for your setup too.

    • Restart apache and shibd

Enjoy

alex
  • 417
  • 1
  • 7
  • 10
embedded
  • 456
  • 1
  • 6
  • 19