I currently have Shib SP (v3) running to protect a website lets call it site1.example.com
. Lets say example.com uses an IDP called example1_auth
and it is up and running as expected. I have other websites on the same server, they are completely separate from example.com
they have different subdomains, different purposes they just share the resources of the server (Lets call the server server1
)
I now need to configure Shib SP to protect one of these other websites lets call this other site site2.example.com
and it will use example2_auth
as its IDP
My question is how do I protect the additional site, what changes are required to the shibboleth2.xml
file and attribute-map.xml
From what I understand I need to do at least the following
Add an additional site to the <InProcess>
section
<InProcess>
<ISAPI normalizeRequest="true" safeHeaderNames="true">
<Site id="5" name="site1.example.com" scheme="https" port="443"/>
<Site id="15" name="site2.example.com" scheme="https" port="443"/> <!--New-->
</ISAPI>
</InProcess>
Add an additional host to the <RequestMapper>
section, so that would look something like this
<RequestMapper type="Native">
<RequestMap>
<Host name="site1.example.com" port="443" scheme="https">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
<!--New-->
<Host name="site2.example.com" port="443" scheme="https">
<Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>
</RequestMap>
</RequestMapper>
Assuming those parts are correct. What changes are required here?
<ApplicationDefaults entityID="https://site1.example.com/Shibboleth"
REMOTE_USER="eppn subject-id pairwise-id persistent-id"
cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
<Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false" cookieProps="; HttpOnly; path=/; secure" >
<SSO entityID="site1_auth">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
<LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
</Sessions>
<MetadataProvider type="XML" validate="true" path="C:\opt\SSO_Metadata\site1.xml"/>
<MetadataProvider type="XML" validate="true" path="C:\opt\SSO_Metadata\site2.xml"/>
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolvers for separate signing/encryption keys. -->
<CredentialResolver type="File" use="signing"
key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
<CredentialResolver type="File" use="encryption"
key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
I think I need to add an <ApplicationOverride>
section within this part but I'm not sure that's right, but the documentation points to a better way but never really full explains fully what that might be, or at least from what I've seen. I find the confluence documentation lacks fully fledge examples to go from.
Apologies for the long post
0 Answers