I am wondering if it is possible to only have one Shibboleth Service Provider (SP) if you pass requests to all your sites through one reverse proxy (with SSL offloading, etc.).
So, let's say I have the following sites at different domains:
example.org
blog.example.org
wiki.example.org
The sites themselves and their respective Webserver all reside in their own VM and cannot communicate with the outside directly. I have another VM that only runs a reverse proxy for all those domains and passes requests forth to the webserver at the respective VM. Let's call that reverse proxy proxy.example.org
(note that that wouldn't be an accessible domain name).
Now instead of configuring a SP for each site I'd like to install it only on proxy.example.org
, configuring it so that each request to
example.org/secure
blog.example.org
wiki.example.org
will trigger a Shibboleth authentication. After a successful auth the request gets passed on. Is that possible?
I am asking as I only found this resource https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy which I find very ambiguous, as it only says
- The location /secure on the resource is protected by a Shibboleth SP
- The Shibboleth SP intercepts the request and generates a SAML2 AuthnRequest with an AssertionConsumerServiceURL of https://proxy.example.org/Shibboleth.sso/SAML2/POST
So I don't really know where the SP('s) have to be installed...