proxy between SP and IDP with HTTP-POST binding

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

proxy between SP and IDP with HTTP-POST binding

Dole, David

I could not find this question in the archives so I must be missing something obvious. Apologies if this has been answered and I didn’t find it.

 

I am deploying a Shibboleth IDP 3.3.2. My SP requires unsolicited SSO and it seems to be working as expected. My problem is that my user agent (client browser) reaches everything through a reverse proxy, i.e. the IDP, the SP and the final target URLs must all be reached using the proxy host.

 

My only authentication flow is the default authn/Password. My SP metadata also requires HTTP-POST binding for the assertion consumer service. The form sent back to the browser is filled in with the “$ticket” and “$service” values as shown in postback.vm:

 

<body onload="document.forms[0].submit()">

<div class="wrapper">

    <div class="center">

        ...

        <form action="$service" method="post">

            <div>

                <input type="hidden" name="$ticketParamName" value="$ticket"/>

            </div>

            <noscript>

                <div>

                    <input type="submit" value="Continue"/>

                </div>

            </noscript>

        </form>

    </div>

</div>

 

</body>

 

The form action ($service) contains the SP assertion consumer service URL and the ticket value ($ticket) contains a relay state. The hosts in these values end up being those specified by the metadata (for the action) and by the target (for the relay state), however I need them to be my proxy host. The form is just data to the proxy so the proxy is no help transforming the values.

 

I can’t be the first one in this situation so how is this typically handled? Can I transform the values in that form before it is sent?

 

Please let me know if you need more information.

 

Thanks,

Dave Dole

 


DXC Technology Company - Headquarters: 1775 Tysons Boulevard, Tysons, Virginia 22102, USA.
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary, confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: proxy between SP and IDP with HTTP-POST binding

Cantor, Scott E.
On 5/3/18, 4:59 PM, "users on behalf of Dole, David" <[hidden email] on behalf of [hidden email]> wrote:

> The form action ($service) contains the SP assertion consumer service URL and the ticket value ($ticket) contains a relay > state. The hosts in these values end up being those specified by the metadata (for the action) and by the target (for
>  the relay state), however I need them to be my proxy host.

Then all of the URLs in all the requests and the metadata had better be referrring to the proxy and the web server(s) must all know enough to make that happen.

Reverse proxying is not transparent and all that is is virtualization, no different in nature than offloading ports or SSL. The web server(s) used must accurately report the *logical* name, port, and scheme that the client sees to the SP and IdP.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: proxy between SP and IDP with HTTP-POST binding

Peter Schober
In reply to this post by Dole, David
* Dole, David <[hidden email]> [2018-05-03 23:32]:
> My problem is that my user agent (client browser) reaches everything
> through a reverse proxy, i.e. the IDP, the SP and the final target
> URLs must all be reached using the proxy host.

Standing up a reverse proxy that proxies to (and therefore
impersonates, as far as URLs go) any and all resources doesn't seem
very practical to me -- the above sounds like you'd want a forward
proxy instead (think SOCKS or HTTP CONNECT or PAC)?

I.e., you're proxying clients here, not servers, AFAICT.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]