about Audience policy

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

about Audience policy

veronesip

Hi,

i have the following configuration:

   <RequestMapper type="Native">
      <RequestMap applicationId="default">
         <Host name="www.fake_pippo.org">
             <Path name="secure" applicationId="pippo"/>
             <Path name="secure2" applicationId="pippo2"/>
         </Host>
      </RequestMap>
   </RequestMapper>


  
   <ApplicationOverride id="pippo" entityID="https://www.fake_pippo.org/shibboleth"
   [...]
   </ApplicationOverride>
  
     [...]
     
   <ApplicationOverride id="pippo2" entityID="https://www2.fake_pippo.org/shibboleth"
   [...]
   </ApplicationOverride>

  
  

            [...]
            <saml2:AudienceRestriction>
                <saml2:Audience>https://www.fake_pippo.org/shibboleth</saml2:Audience>
            </saml2:AudienceRestriction>
            [...]

           
As far as i understand, i need to modify security-policy.xml for the application id="pippo" in order to accept both https://www.fake_pippo.org/shibboleth and https://www2.fake_pippo.org/shibboleth as Audience, but it is not clear to me how.

Any hint?

Best regards,
  Paolo

-- 
Paolo Veronesi
--------------------------------------------------------------
Divisione DataCenter&Cloud
Attivazione&Esercizio DC&Cloud
CUP 2000 S.c.p.A. - www.cup2000.it
Via del Borgo di S. Pietro, 90/c - 40126 Bologna
Tel: +39 051 4208571  | e-mail: [hidden email]
Fax +39 051 4208511




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: about Audience policy

Cantor, Scott E.
On 6/29/18, 12:51 PM, "users on behalf of Paolo Veronesi" <[hidden email] on behalf of [hidden email]> wrote:

> As far as i understand, i need to modify security-policy.xml for the application id="pippo" in order to accept both
> https://www.fake_pippo.org/shibboleth and
> https://www2.fake_pippo.org/shibboleth as Audience, but it is not clear to me how.

No. You should in order of preference:

* stop using overrides
* not make them path-based and use vhosts

Failing that, you are in for a lot of hassle, and need to read the documentation on path-based overrides [1] that discusses the issue of overriding the handlers and the need for a full <Sessions> element with a handlerURL, modifications to metadata, etc.

-- Scott

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]