Shibboleth with AWS Cloudfront

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth with AWS Cloudfront

Sylvia, Shannon

Hello all,

 

I have spent days trying to understand why simple index.html websites that work fine in our inhouse Linux environment using Shibboleth with the same configuration files goes into a loop when I create the websites on AWS, using AWS Linux 2, AWS Application Load Balancer, CloudFront and Route 53.

 

It all appears to go through and connect to the Idp, it brings back the Idp metadata.  I am told the Idp is able to update the SP metadata.

 

It is simply using apache 2.4 on AWS Linux 2 – very straight forward.  It is not using Elastic IPs, so the IP addresses are not fixed.

 

Does anyone have suggestions for this architecture?

 

Thanks so much in advance,

S. Sylvia

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth with AWS Cloudfront

Wessel, Keith William

Is your AWS load balancer speaking http instead of https to the web server running the SP? If so, you need to get the SP to accept cookies and traffic from non-HTTPS endpoints.

 

Keith

 

 

From: users <[hidden email]> On Behalf Of Sylvia, Shannon
Sent: Wednesday, November 13, 2019 5:10 PM
To: [hidden email]
Subject: Shibboleth with AWS Cloudfront

 

Hello all,

 

I have spent days trying to understand why simple index.html websites that work fine in our inhouse Linux environment using Shibboleth with the same configuration files goes into a loop when I create the websites on AWS, using AWS Linux 2, AWS Application Load Balancer, CloudFront and Route 53.

 

It all appears to go through and connect to the Idp, it brings back the Idp metadata.  I am told the Idp is able to update the SP metadata.

 

It is simply using apache 2.4 on AWS Linux 2 – very straight forward.  It is not using Elastic IPs, so the IP addresses are not fixed.

 

Does anyone have suggestions for this architecture?

 

Thanks so much in advance,

S. Sylvia

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth with AWS Cloudfront

Sylvia, Shannon

Thanks so much.

 

I have changed the configuration several times, and I believe that I tested allowing http traffic.

 

I will admit that I know very little about Shibboleth, and I am just becoming familiar with AWS.

 

I will look at the configuration file again and adjust if needed. 

 

Thanks,

S. Sylvia

 

From: users <[hidden email]> on behalf of "Wessel, Keith" <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Wednesday, November 13, 2019 at 6:15 PM
To: Shib Users <[hidden email]>
Subject: RE: Shibboleth with AWS Cloudfront

 

Is your AWS load balancer speaking http instead of https to the web server running the SP? If so, you need to get the SP to accept cookies and traffic from non-HTTPS endpoints.

 

Keith

 

 

From: users <[hidden email]> On Behalf Of Sylvia, Shannon
Sent: Wednesday, November 13, 2019 5:10 PM
To: [hidden email]
Subject: Shibboleth with AWS Cloudfront

 

Hello all,

 

I have spent days trying to understand why simple index.html websites that work fine in our inhouse Linux environment using Shibboleth with the same configuration files goes into a loop when I create the websites on AWS, using AWS Linux 2, AWS Application Load Balancer, CloudFront and Route 53.

 

It all appears to go through and connect to the Idp, it brings back the Idp metadata.  I am told the Idp is able to update the SP metadata.

 

It is simply using apache 2.4 on AWS Linux 2 – very straight forward.  It is not using Elastic IPs, so the IP addresses are not fixed.

 

Does anyone have suggestions for this architecture?

 

Thanks so much in advance,

S. Sylvia

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth with AWS Cloudfront

Wessel, Keith William

No problem, Shannon. The important things are to set handlerSSL to false and cookieProps to http in shibboleth2.xml. If using Apache, you’ll also need to set the Apache ServerName directive to a full https://hostname.tld:443 including the port number so that return URLs are properly constructed in requests sent to the IdP.

 

Keith

 

 

From: users <[hidden email]> On Behalf Of Sylvia, Shannon
Sent: Wednesday, November 13, 2019 5:25 PM
To: Shib Users <[hidden email]>
Subject: Re: Shibboleth with AWS Cloudfront

 

Thanks so much.

 

I have changed the configuration several times, and I believe that I tested allowing http traffic.

 

I will admit that I know very little about Shibboleth, and I am just becoming familiar with AWS.

 

I will look at the configuration file again and adjust if needed. 

 

Thanks,

S. Sylvia

 

From: users <[hidden email]> on behalf of "Wessel, Keith" <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Wednesday, November 13, 2019 at 6:15 PM
To: Shib Users <[hidden email]>
Subject: RE: Shibboleth with AWS Cloudfront

 

Is your AWS load balancer speaking http instead of https to the web server running the SP? If so, you need to get the SP to accept cookies and traffic from non-HTTPS endpoints.

 

Keith

 

 

From: users <[hidden email]> On Behalf Of Sylvia, Shannon
Sent: Wednesday, November 13, 2019 5:10 PM
To: [hidden email]
Subject: Shibboleth with AWS Cloudfront

 

Hello all,

 

I have spent days trying to understand why simple index.html websites that work fine in our inhouse Linux environment using Shibboleth with the same configuration files goes into a loop when I create the websites on AWS, using AWS Linux 2, AWS Application Load Balancer, CloudFront and Route 53.

 

It all appears to go through and connect to the Idp, it brings back the Idp metadata.  I am told the Idp is able to update the SP metadata.

 

It is simply using apache 2.4 on AWS Linux 2 – very straight forward.  It is not using Elastic IPs, so the IP addresses are not fixed.

 

Does anyone have suggestions for this architecture?

 

Thanks so much in advance,

S. Sylvia

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth with AWS Cloudfront

Cantor, Scott E.
On 11/14/19, 9:29 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> No problem, Shannon. The important things are to set handlerSSL to false and cookieProps to http in shibboleth2.xml.
> If using Apache, you’ll also need to set the Apache ServerName directive to a full https://hostname.tld:443 

Those are essentially inconsistent. If you properly virtualize, then the SP is logically operating over TLS regardless of the physical parameters.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth with AWS Cloudfront

Wessel, Keith William
Interesting. Is that different in 3 than it used to be in 2? That wasn't my past experience when putting services behind SLBs that also offloaded SSL.

More importantly, which settings does one need to make for this to work behind an SSL-offloading SLB?

Thanks, Scott,
Keith


-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Thursday, November 14, 2019 8:36 AM
To: Shib Users <[hidden email]>
Subject: Re: Shibboleth with AWS Cloudfront

On 11/14/19, 9:29 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> No problem, Shannon. The important things are to set handlerSSL to false and cookieProps to http in shibboleth2.xml.
> If using Apache, you’ll also need to set the Apache ServerName directive to a full https://hostname.tld:443 

Those are essentially inconsistent. If you properly virtualize, then the SP is logically operating over TLS regardless of the physical parameters.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth with AWS Cloudfront

Cantor, Scott E.
On 11/14/19, 9:56 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> Interesting. Is that different in 3 than it used to be in 2? That wasn't my past experience when putting services behind
> SLBs that also offloaded SSL.

The SP generally just applies behavior based on the URL it operates on, and that URL should be https:// in such a case, that's really all that matters (I mean, in the broad sense, the scheme, port, and host are the factors here).

> More importantly, which settings does one need to make for this to work behind an SSL-offloading SLB?

ServerName, that's it.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth with AWS Cloudfront

Wessel, Keith William
But I assume that the two shibboleth2.xml settings (handlerSSL="false" and cookieProps="http" still need to be set?

Keith


-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Thursday, November 14, 2019 9:50 AM
To: Shib Users <[hidden email]>
Subject: Re: Shibboleth with AWS Cloudfront

On 11/14/19, 9:56 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> Interesting. Is that different in 3 than it used to be in 2? That
> wasn't my past experience when putting services behind SLBs that also offloaded SSL.

The SP generally just applies behavior based on the URL it operates on, and that URL should be https:// in such a case, that's really all that matters (I mean, in the broad sense, the scheme, port, and host are the factors here).

> More importantly, which settings does one need to make for this to work behind an SSL-offloading SLB?

ServerName, that's it.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth with AWS Cloudfront

Cantor, Scott E.
On 11/14/19, 10:53 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:

> But I assume that the two shibboleth2.xml settings (handlerSSL="false" and cookieProps="http" still need to be set?

Nope. It *is* SSL if the server tells it that it is.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth with AWS Cloudfront

Sylvia, Shannon
Just to follow up on this.  It appears the issue was that I needed to set the Sticky on the AWS load balancer.

Thanks,
S. Sylvia

On 11/14/19, 10:59 AM, "users on behalf of Cantor, Scott" <[hidden email] on behalf of [hidden email]> wrote:

    On 11/14/19, 10:53 AM, "users on behalf of Wessel, Keith" <[hidden email] on behalf of [hidden email]> wrote:
   
    > But I assume that the two shibboleth2.xml settings (handlerSSL="false" and cookieProps="http" still need to be set?
   
    Nope. It *is* SSL if the server tells it that it is.
   
    -- Scott
   
   
    --
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to [hidden email]
   

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]