Score:0

Shibboleth SP single site to multiple site

ca flag

I currently have Shib SP (v3) running to protect a website lets call it site1.example.com. Lets say example.com uses an IDP called example1_auth and it is up and running as expected. I have other websites on the same server, they are completely separate from example.com they have different subdomains, different purposes they just share the resources of the server (Lets call the server server1)

I now need to configure Shib SP to protect one of these other websites lets call this other site site2.example.com and it will use example2_auth as its IDP

My question is how do I protect the additional site, what changes are required to the shibboleth2.xml file and attribute-map.xml

From what I understand I need to do at least the following Add an additional site to the <InProcess> section

<InProcess>
    <ISAPI normalizeRequest="true" safeHeaderNames="true">
        <Site id="5" name="site1.example.com" scheme="https" port="443"/>
        <Site id="15" name="site2.example.com" scheme="https" port="443"/> <!--New-->
    </ISAPI>
</InProcess>

Add an additional host to the <RequestMapper> section, so that would look something like this

<RequestMapper type="Native">
    <RequestMap>
        <Host name="site1.example.com" port="443" scheme="https">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
        <!--New-->
        <Host name="site2.example.com" port="443" scheme="https">
            <Path name="secure" authType="shibboleth" requireSession="true"/>
        </Host>
    </RequestMap>
</RequestMapper>

Assuming those parts are correct. What changes are required here?

<ApplicationDefaults entityID="https://site1.example.com/Shibboleth"
    REMOTE_USER="eppn subject-id pairwise-id persistent-id"
    cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">
    <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="cookie" handlerSSL="false" cookieProps="; HttpOnly; path=/; secure" >
        <SSO entityID="site1_auth">
    SAML2 SAML1
    </SSO>
        <Logout>SAML2 Local</Logout>
        <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />
        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
    </Sessions>

    <MetadataProvider type="XML" validate="true" path="C:\opt\SSO_Metadata\site1.xml"/>
    <MetadataProvider type="XML" validate="true" path="C:\opt\SSO_Metadata\site2.xml"/>

    <!-- Map to extract attributes from SAML assertions. -->
    <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
    
    <!-- Default filtering policy for recognized attributes, lets other data pass. -->
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

    <!-- Simple file-based resolvers for separate signing/encryption keys. -->
    <CredentialResolver type="File" use="signing"
        key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
    <CredentialResolver type="File" use="encryption"
        key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
    

I think I need to add an <ApplicationOverride> section within this part but I'm not sure that's right, but the documentation points to a better way but never really full explains fully what that might be, or at least from what I've seen. I find the confluence documentation lacks fully fledge examples to go from.

Apologies for the long post

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.