I am wondering if it is possible to only have one Shibboleth Service Provider (SP) if you pass requests to all your sites through one reverse proxy (with SSL offloading, etc.).
So, let's say I have the following sites at different domains:
example.org
blog.example.org
wiki.example.org
The sites themselves and their respective Webserver all reside in their own VM and cannot communicate with the outside directly. I have another VM that only runs a reverse proxy for all those domains and passes requests forth to the webserver at the respective VM. Let's call that reverse proxy proxy.example.org
(note that that wouldn't be an accessible domain name).
Now instead of configuring a SP for each site I'd like to install it only on proxy.example.org
, configuring it so that each request to
example.org/secure
blog.example.org
wiki.example.org
will trigger a Shibboleth authentication. After a successful auth the request gets passed on. Is that possible?
I am asking as I only found this resource https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy which I find very ambiguous, as it only says
- The location /secure on the resource is protected by a Shibboleth SP
- The Shibboleth SP intercepts the request and generates a SAML2 AuthnRequest with an AssertionConsumerServiceURL of https://proxy.example.org/Shibboleth.sso/SAML2/POST
So I don't really know where the SP('s) have to be installed…
Best Answer
Yes it is possible. I configured a single Shib Proxy some years ago. Here is all the documentation i wrote back then (its a setup on Solaris, some thing may be different on Linux). You will need a Server which holds the Application you want to protect and a Proxy Server with the Shibboleth stuff and some Proxy rules on it.
shibd -t -c /opt/AAI/etc/shibboleth/shibboleth2.xml
Handler type="Status"
and remove the ACL's at the end. Your Handler should look like:<Handler type="Status" Location="/Status" />
<ApplicationOverride id="<APP NAME>" entityID="https://<DOMAIN>/shibboleth" />
Copy this stub
Replace APP NAME, WEBSERVER URL, IP ADDR and DOMAIN, you will have to change the paths for your setup too.
Restart apache and shibd
Enjoy