Moving SSL cert to the edge breaks Shibboleth

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Moving SSL cert to the edge breaks Shibboleth

Michael Ottoson

Hi All,

 

We are converting a system we inherited: two web servers running IIS and Shibboleth, behind a load balancing server running HAPROXY. SSL certs are installed on each web server, and HAPROXY is configured as passthrough.

 

We want to replace the HAPROXY server with one running nginx, and we want to move the SSL cert off of the web servers to the edge, i.e. the nginx server.

 

We are almost there. There is one snag: Shibboleth.

 

We built a new server, installed and configured nginx. We use the HOSTS file to point back and forth for testing. Once we are done, we'll repoint DNS.

 

First, we configured nginx as a passthrough for SSL.  That worked fine.

 

Then we moved the cert from the web servers to the nginx server.

 

Requests to non-secure traffic worked fine, but anything going through Shibboleth said “Unable to locate satisfiable bearer SubjectConfirmation in assertion”

 

What’s interesting:  If we point HOSTS to the original HAPROXY server, authenticate, then switch HOSTS to the nginx server, everything work perfectly.

 

In other words once the SAML cookie is set all is good. So it seems the problem happens when the IdP tries to send the assertions to .../Shibboleth.sso/SAML2/POST (Fiddler confirms)

 

I’ve posted all of this (with diagrams and conf files) on ServerFault:  https://serverfault.com/questions/884317/moving-ssl-cert-to-the-edge-breaks-shibboleth

 

Any advice?

 

--

Michael Ottoson

Director Software Development

519-946-4130

 

/Users/beth_warren/Documents/Leadership +Marketing/Marketing /CRI_logos/Creative Realities Logos/CRI_logo_Black&Teal.png

 

We help Clients use the latest technologies to create inspiring customer experiences

Louisville | Atlanta | Dallas | Denver | New York | Minneapolis | Tampa | Windsor ON

Connect with us at www.cri.com

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Moving SSL cert to the edge breaks Shibboleth

Cantor, Scott E.
> We are almost there. There is one snag: Shibboleth.

No, the snag is that you haven't virtualized the web server's configuration. IIS does not support that (It doesn't have the equivalent of Apache's ServerName directive). So it isn't even technically something you should do, you should use Apache. If you want to use IIS in a way that it does not in fact support, the SP includes a partial workaround to virtualize the site parameters as documented, in the <Site> elements in its configuration.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Moving SSL cert to the edge breaks Shibboleth

Michael Ottoson
Thanks for the fast response!

I would love to use Apache, but that's not an option.

Can you help me understand (or link to a doc that does)?  We've been using Shibboleth for months successfully.  We haven't changed any names - only moved the cert.

BTW: total novice here - I know just enough to be dangerous.

-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: November 20, 2017 3:12 PM
To: Shib Users <[hidden email]>
Subject: RE: Moving SSL cert to the edge breaks Shibboleth

> We are almost there. There is one snag: Shibboleth.

No, the snag is that you haven't virtualized the web server's configuration. IIS does not support that (It doesn't have the equivalent of Apache's ServerName directive). So it isn't even technically something you should do, you should use Apache. If you want to use IIS in a way that it does not in fact support, the SP includes a partial workaround to virtualize the site parameters as documented, in the <Site> elements in its configuration.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Moving SSL cert to the edge breaks Shibboleth

Cantor, Scott E.
> Can you help me understand (or link to a doc that does)?

If you're asking me to explain how web server virtualization works, I guess I would suggest you read the Apache ServerName documentation, I don't know of any particularly good source on the basics of web server deployment. If you're talking about the SP workaround, it's under NativeSPISAPI in the wiki.

>  We've been using Shibboleth for months successfully.  We haven't changed any names - only
> moved the cert.

That cannot break it. You changed the virtualization of the site, you had to have. I would imagine it was physically https before and now it's physically http and still logically https. So you MUST tell the web server that it is in fact logically running on https. Which you cannot do, IIS doesn't support that, but you can hack it by telling the SP that in the <Site> element that's already present, using the scheme attribute.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Moving SSL cert to the edge breaks Shibboleth

Michael Ottoson
Sorry, yes - I was asking about the SP workaround.

Thanks.

--
Michael Ottoson
Director Software Development
519-946-4130



We help Clients use the latest technologies to create inspiring customer experiences
LOUISVILLE | ATLANTA | DALLAS | DENVER | NEW YORK | MINNEAPOLIS | TAMPA | WINDSOR ON
CONNECT WITH US AT WWW.CRI.COM

-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: November 20, 2017 3:22 PM
To: Shib Users <[hidden email]>
Subject: RE: Moving SSL cert to the edge breaks Shibboleth

> Can you help me understand (or link to a doc that does)?

If you're asking me to explain how web server virtualization works, I guess I would suggest you read the Apache ServerName documentation, I don't know of any particularly good source on the basics of web server deployment. If you're talking about the SP workaround, it's under NativeSPISAPI in the wiki.

>  We've been using Shibboleth for months successfully.  We haven't
> changed any names - only moved the cert.

That cannot break it. You changed the virtualization of the site, you had to have. I would imagine it was physically https before and now it's physically http and still logically https. So you MUST tell the web server that it is in fact logically running on https. Which you cannot do, IIS doesn't support that, but you can hack it by telling the SP that in the <Site> element that's already present, using the scheme attribute.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Moving SSL cert to the edge breaks Shibboleth

Boyd, Todd M.
In reply to this post by Cantor, Scott E.
Could you potentially lie to the stack that sits on IIS using something like IIS URL Rewrite and replacing server variables? I know there were a few small web applications running on IIS we were able to "trick" this way by setting things such as the HTTPS, SERVER_PORT, SERVER_PORT_SECURE, etc. variables.


-Todd


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Cantor, Scott
Sent: Monday, November 20, 2017 2:22 PM
To: Shib Users <[hidden email]>
Subject: RE: Moving SSL cert to the edge breaks Shibboleth

> Can you help me understand (or link to a doc that does)?

If you're asking me to explain how web server virtualization works, I guess I would suggest you read the Apache ServerName documentation, I don't know of any particularly good source on the basics of web server deployment. If you're talking about the SP workaround, it's under NativeSPISAPI in the wiki.

>  We've been using Shibboleth for months successfully.  We haven't
> changed any names - only moved the cert.

That cannot break it. You changed the virtualization of the site, you had to have. I would imagine it was physically https before and now it's physically http and still logically https. So you MUST tell the web server that it is in fact logically running on https. Which you cannot do, IIS doesn't support that, but you can hack it by telling the SP that in the <Site> element that's already present, using the scheme attribute.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Moving SSL cert to the edge breaks Shibboleth

Domingues, Michael D

Michael,


You can find the main wiki for all Shibboleth project documentation here: https://wiki.shibboleth.net/


The page you are interested in (as Scott described) can be found here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPISAPI


Best,

Michael



From: users <[hidden email]> on behalf of Boyd, Todd M. <[hidden email]>
Sent: Monday, November 20, 2017 2:27:00 PM
To: Shib Users
Subject: RE: Moving SSL cert to the edge breaks Shibboleth
 
Could you potentially lie to the stack that sits on IIS using something like IIS URL Rewrite and replacing server variables? I know there were a few small web applications running on IIS we were able to "trick" this way by setting things such as the HTTPS, SERVER_PORT, SERVER_PORT_SECURE, etc. variables.


-Todd


-----Original Message-----
From: users [[hidden email]] On Behalf Of Cantor, Scott
Sent: Monday, November 20, 2017 2:22 PM
To: Shib Users <[hidden email]>
Subject: RE: Moving SSL cert to the edge breaks Shibboleth

> Can you help me understand (or link to a doc that does)?

If you're asking me to explain how web server virtualization works, I guess I would suggest you read the Apache ServerName documentation, I don't know of any particularly good source on the basics of web server deployment. If you're talking about the SP workaround, it's under NativeSPISAPI in the wiki.

>  We've been using Shibboleth for months successfully.  We haven't
> changed any names - only moved the cert.

That cannot break it. You changed the virtualization of the site, you had to have. I would imagine it was physically https before and now it's physically http and still logically https. So you MUST tell the web server that it is in fact logically running on https. Which you cannot do, IIS doesn't support that, but you can hack it by telling the SP that in the <Site> element that's already present, using the scheme attribute.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Moving SSL cert to the edge breaks Shibboleth

Cantor, Scott E.
In reply to this post by Boyd, Todd M.
> Could you potentially lie to the stack that sits on IIS using something like IIS
> URL Rewrite and replacing server variables? I know there were a few small
> web applications running on IIS we were able to "trick" this way by setting
> things such as the HTTPS, SERVER_PORT, SERVER_PORT_SECURE, etc.
> variables.

Very likely, that's probably the actual "fix" on newer versions. My knowledge tends to be extremely dated to older versions pre-IIS7.

We'll take a look at that for the new version, I'd love to be able to pull the workaround code if there's a proper way to do it now. All we're doing now is subverting the logic that reads from those variables, obviously.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]