Single SP for Multiple vhosts acting as a reverse proxy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Single SP for Multiple vhosts acting as a reverse proxy

sam1000
This post was updated on .
Hi:

We have an app that needs to be deployed multiple times for different clients(client1.newco.com, client2.newco.com...etc). We used to create multiple SPs/Partnerships with IDP for each client. We are at a point where this solution is not scalable anymore. Our IDP has asked us to implement a solution where a single partnership/SP can work with all instances of the application. IDP software is not Shibboleth.

To achieve this, we have setup an Apache server as a reverse proxy with multiple vhosts and <Location> blocks. Each vhost is defined with its applicationId because we might have to override session values in future. Apache also acts as a bridge to tomcat.  IDP is configured with a single ACS.
 
We get into a loop with this configuration.  SAML tracer in Firefox shows that shibboleth on app2 redirects the user to a login page. From there, assertion gets posted to the App1/default ACS. User is redirected back to App2 page -> login -> POST......................

Couple of questions...
1. Is it possible to achieve this objective of single SP and ACS with multiple vhosts?
2. If yes, what do I need to add in the override block to avoid this loop?

Thanks for your help!!!


Reply | Threaded
Open this post in threaded view
|

Re: Single SP for Multiple vhosts acting as a reverse proxy

JohnWang
Sam,
It is doable. You need to configure both Apache Web servers and Shibboleth SP to achieve the goal. Please take a look at https://wiki.cac.washington.edu/pages/viewpage.action?pageId=61703128. if you have any further questions, please post here.

Thanks,

John Wang