I could not find this question in the archives so I must be missing something obvious. Apologies if this has been answered and I didn’t find it.
I am deploying a Shibboleth IDP 3.3.2. My SP requires unsolicited SSO and it seems to be working as expected. My problem is that my user agent (client browser) reaches everything through a reverse proxy, i.e. the IDP, the SP and the final
target URLs must all be reached using the proxy host.
My only authentication flow is the default authn/Password. My SP metadata also requires HTTP-POST binding for the assertion consumer service. The form sent back to the browser is filled in with the “$ticket” and “$service” values as shown
The form action ($service) contains the SP assertion consumer service URL and the ticket value ($ticket) contains a relay state. The hosts in these values end up being those specified by the metadata (for the action) and by the target (for
the relay state), however I need them to be my proxy host. The form is just data to the proxy so the proxy is no help transforming the values.
I can’t be the first one in this situation so how is this typically handled? Can I transform the values in that form before it is sent?
Please let me know if you need more information.
DXC Technology Company - Headquarters: 1775 Tysons Boulevard, Tysons, Virginia 22102, USA.
DXC Technology Company -- This message is transmitted to you by or on behalf of DXC Technology Company or one of its affiliates. It is intended exclusively for the addressee. The substance of this message, along with any attachments, may contain proprietary,
confidential or privileged information or information that is otherwise legally exempt from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient of this message, you are not authorized to
read, print, retain, copy or disseminate any part of this message. If you have received this message in error, please destroy and delete all copies and notify the sender by return e-mail. Regardless of content, this e-mail shall not operate to bind DXC Technology
Company or any of its affiliates to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg To unsubscribe from this list send an email to [hidden email]
> The form action ($service) contains the SP assertion consumer service URL and the ticket value ($ticket) contains a relay > state. The hosts in these values end up being those specified by the metadata (for the action) and by the target (for
> the relay state), however I need them to be my proxy host.
Then all of the URLs in all the requests and the metadata had better be referrring to the proxy and the web server(s) must all know enough to make that happen.
Reverse proxying is not transparent and all that is is virtualization, no different in nature than offloading ports or SSL. The web server(s) used must accurately report the *logical* name, port, and scheme that the client sees to the SP and IdP.
* Dole, David <[hidden email]> [2018-05-03 23:32]:
> My problem is that my user agent (client browser) reaches everything
> through a reverse proxy, i.e. the IDP, the SP and the final target
> URLs must all be reached using the proxy host.
Standing up a reverse proxy that proxies to (and therefore
impersonates, as far as URLs go) any and all resources doesn't seem
very practical to me -- the above sounds like you'd want a forward
proxy instead (think SOCKS or HTTP CONNECT or PAC)?
I.e., you're proxying clients here, not servers, AFAICT.