Shibboleth IdP itself is a Java web app which can be served by any Servlet Container. I use Tomcat in this article.
When proxied by Apache httpd with AJP protocol, Shibboleth IdP works well without any extra config. Because AJP protocol by default gives Tomcat enough infomation, like protocol(https), forwarded host....
But Nginx has no built in support for AJP, so the common proxy protocol is http instead.
1 Nginx config
server {
listen 443 ssl;
server_name idp.example.com;
ssl_certificate idp.example.com.crt;
ssl_certificate_key idp.example.com.key;
location /idp/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://idp:8080/idp/;
}
}
listen 443 ssl;
server_name idp.example.com;
ssl_certificate idp.example.com.crt;
ssl_certificate_key idp.example.com.key;
location /idp/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://idp:8080/idp/;
}
}
It's crucial to set the two headers above to make IdP works. Without these headers, IdP will compain endpoints don't match.
2 Tomcat config
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
</Host>
Insert "RemoteIpValve" so that IdP can see the protocol and real host from the browsers.
No comments:
Post a Comment