There
Multiple SPs on same apache vhost
By default the helper scripts mentioned above use some default values like file names and local hostname. So in case you need multiple SPs within a single apache web service, we’ll need to generate key pairs and metadata for each of them and use more specific settings for each of them:
linux # shib-keygen -h www.mydomain.de -e https://www.mydomain.de/protected -n www.mydomain.de-protected
# /etc/shibboleth/www.mydomain.de-protected-key.pem
# /etc/shibboleth/www.mydomain.de-protected-cert.pem
linux # shib-metagen -h www.mydomain.de -e https://www.mydomain.de/protected -c www.mydomain.de-protected-cert.pem > /etc/shibboleth/mydomain-protected.xmlAnd the corresponding shibboleth2.xml section looks like this:
<...>
<ApplicationOverride entityID="https://www.mydomain.de/protected/Shibboleth.sso" id="federated"
homeURL="https://www.mydomain.de/protected/Shibboleth.sso/Session"
REMOTE_USER="eppn subject-id pairwise-id persistent-id">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" handlerURL="/shib-fed-protected/Shibboleth.sso" cookieProps="https"
redirectLimit="exact">
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://ds.mydomain.de/ds/"> SAML2 </SSO>
</Sessions>
<!-- backing files will be placed in /var/cache/shibboleth/ -->
<MetadataProvider type="XML" validate="true"
url="https://keycloak.mydomain.de/realms/MYDOMAIN/protocol/saml/descriptor"
backingFilePath="shib-metadata-keycloak-mydomain.xml"/>
<MetadataProvider type="XML" validate="true"
url="https://simplesaml.otherdomain.de/simplesaml/saml2/idp/metadata.php"
backingFilePath="shib-metadata-simplesaml-otherdomain.xml"/>
<CredentialResolver type="Chaining">
<CredentialResolver type="File"
key="/etc/shibboleth/sps/www.mydomain.de-protected-key.pem"
certificate="/etc/shibboleth/www.mydomain.de-protected-cert.pem"/>
</CredentialResolver>
</ApplicationOverride>
<...>Non-Standard location
The standard use case for mod_shib is to protect a complete website (not a subset of it). Other setups are more complex (and error prone) and are therefore not recommended.
And a little more special (something like protecting a sub directory):
linux # shib-metagen -h www.mydomain.de/protected -c www.mydomain-cert.pem -e https://www.mydomain.de/protected/Shibboleth.sso
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.mydomain.de/protected/Shibboleth.sso">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
<... CERT HERE ...>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML2/ECP" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://www.mydomain.de/protected/Shibboleth.sso/SAML/POST" index="4"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>