Page tree
Skip to end of metadata
Go to start of metadata

Purpose

The purpose of this document is to outline steps to protect multiple application context under same physical Shibboleth SP.

Use Case

Lets say your have following :

  1. Two or more applications installed on same host
  2. Share same domain name (https//:abc.ucsf.edu)
  3. Different context root (https://abc.ucsf.edu/app1, https://abc.ucsf.edu/app2 etc..)
  4. Require different set of attributes for eg. App1 needs uid, firstName, LastName and App2 needs uid, eduPersonPrimaryName, ucsfEduIdNumber
  5. Both apps are served by same web server
    If requirement satisfy above, please follow the steps outlined below

before you proceed

It is assumed that SP is installed and configured with webserver

Shibboleth SP configuration

  1. Open shibboleth2.xml in edit mode
  2. Add request mapper tag just above <ApplicationDefaults>
      <RequestMapper type="Native">
            <RequestMap>
                <Host name="abc.ucsf.edu">
                    <Path name="<app context root>" applicationId="app1" authType="shibboleth" requireSession="true"/>
                    <Path name="<app context root>" applicationId="app2" authType="shibboleth" requireSession="true"/>
                </Host>
            </RequestMap>
        </RequestMapper>
    
  3. Add application override just above </ApplicationDefaults> (This is end of ApplicationDefaults tag)
        <ApplicationOverride id="app1" entityID="https://abc.ucsf.edu/app1">
            <Sessions lifetime="28800" timeout="7200" checkAddress="false" handlerURL="/<context root of app1>/Shibboleth.sso" />
        </ApplicationOverride>
        <ApplicationOverride id="app2" entityID="https://abc.ucsf.edu/app2">
            <Sessions lifetime="28800" timeout="7200" checkAddress="false" handlerURL="/<context root of app2>/Shibboleth.sso" />
        </ApplicationOverride>
    

Configure Apache

  1. Open shib.conf in edit mode
  2. Update it with to protect the app
    <Location /<context root of app1>
      AuthType shibboleth
      ShibRequestSetting applicationId app1
      ShibRequestSetting requireSession 1
      require valid-user
    </Location>
    <Location /<context root of app2>
      AuthType shibboleth
      ShibRequestSetting applicationId app2
      ShibRequestSetting requireSession 1
      require valid-user
    </Location>
    

Metadata URL

Metadata for these apps will be available at : https://<FQDN>/<application context root>/Shibboleth.sso/Metadata.
For eg. in our above case :
For app1 : it will be https://abc.ucsf.edu/<app context root>/Shibboleth.sso/Metadata
For app2 : it will be https://abc.ucsf.edu/<app context root>/Shibboleth.sso/Metadata

  • No labels