[Shib-Users] 2 VirtualHost on the same SP

26 views
Skip to first unread message

jehan procaccia

unread,
Apr 22, 2009, 9:34:24 AM4/22/09
to shibbole...@internet2.edu
Hello,

It took me a long time to debug why I couldn't run 2 apache virtual
host on the same SP
I took the exemple from
https://spaces.internet2.edu/display/SHIB2/NativeSPApplication
which contains perhaps ( I can be wrong) bad or wrongly placed
directives about the Path element ?
For serving two virtualhost (trombi and annu) on my apache+mod_shib,
based on the doc NativeSPApplication
<https://spaces.internet2.edu/display/SHIB2/NativeSPApplication> , I
ended up in my shibboleth2.xml with that

<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="bidon.it-sudparis.eu">
<Path name="/" authType="shibboleth"
requireSession="false"> </Path></Host>
<Host name="trombi.it-sudparis.eu">
<Path name="/" authType="shibboleth"
requireSession="false" applicationId="trombi"></Path></Host>
<Host name="annu.it-sudparis.eu">
<Path name="/" authType="shibboleth"
requireSession="false" applicationId="annu" ></Path></Host>
</RequestMap>
</RequestMapper>

which didn't worked, I always had the error "Assertion contains an
unacceptable AudienceRestrictionCondition"

shibd.log
2009-04-03 13:15:48 ERROR OpenSAML.AssertionValidator [6]: unacceptable
AudienceRestrictionCondition in assertion
(<saml:AudienceRestrictionCondition
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Audience>https://annu.it-sudparis.eu/</saml:Audience></saml:AudienceRestrictionCondition>)

2009-04-03 13:15:48 WARN Shibboleth.SSO.SAML1 [6]: detected a problem
with assertion: Assertion contains an unacceptable
AudienceRestrictionCondition.

By removing the element "<Path name="/"authType="shibboleth"
requireSession="false"></Path>" and moving up the
applicationId="annu" from the Path element to the Host element, then it
worked fine.

<Host name="annu.it-sudparis.eu" requireSession="false"
applicationId="annu"></Host>
(actually I completly removed the Path element)

I cannot tell for sure if this is the right way to do it, but a least it
now work for me .
It isn't clear from
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHost
or maybe an other page ? where to set the applicationId, in the Host
element, or in the Path ?
thanks to reassure me and confirm me that I finally did it the right way.

Regards .

Scott Cantor

unread,
Apr 22, 2009, 11:05:38 AM4/22/09
to jehan.p...@it-sudparis.eu, shibbole...@internet2.edu
> I took the exemple from
> https://spaces.internet2.edu/display/SHIB2/NativeSPApplication
> which contains perhaps ( I can be wrong) bad or wrongly placed
> directives about the Path element ?

I don't see anything incorrect about them. One of them is showing two vosts
with separate applications and the other is showing one vhost with separate
applications.

> For serving two virtualhost (trombi and annu) on my apache+mod_shib,
> based on the doc NativeSPApplication
> <https://spaces.internet2.edu/display/SHIB2/NativeSPApplication> , I
> ended up in my shibboleth2.xml with that

Am I wrong in suggesting that your native.log in that case would have
contained these warnings?

"skipping Path element (N) with empty name attribute"

Once it skips the leading slash, it should see an empty name and warn you.

I'll add something to the documentation about it.

> By removing the element "<Path name="/"authType="shibboleth"
> requireSession="false"></Path>" and moving up the
> applicationId="annu" from the Path element to the Host element, then it
> worked fine.

Yes, that's where it belongs.

> I cannot tell for sure if this is the right way to do it, but a least it
> now work for me.

It is.

> It isn't clear from
> https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHost
> or maybe an other page ? where to set the applicationId, in the Host
> element, or in the Path ?

Where to set it depends on what you want to accomplish, which is one reason
I guess that the two examples Nate did on the Application topic show the two
different ways it typically gets done.

-- Scott


jehan procaccia

unread,
Apr 22, 2009, 11:41:21 AM4/22/09
to shibbole...@internet2.edu
Scott Cantor a écrit : 
I took the exemple from
https://spaces.internet2.edu/display/SHIB2/NativeSPApplication
which contains perhaps ( I can be wrong) bad or wrongly placed
directives about the Path element  ?
    
I don't see anything incorrect about them. One of them is showing two vosts
with separate applications and the other is showing one vhost with separate
applications.
I thought my case was correponding to the second example
"This other example shows the shibboleth.xml where the additional application is on the same host but uses a different entityId..."
example which defines a Path element containing the "applicationId="other-app" " which caused me the "unacceptable AudienceRestrictionCondition" ... but I might have choose the wrong example.


  

    
For serving two virtualhost (trombi and annu) on my apache+mod_shib,
based on the doc NativeSPApplication
<https://spaces.internet2.edu/display/SHIB2/NativeSPApplication> , I
ended up in my shibboleth2.xml with that
    

  

  
Am I wrong in suggesting that your native.log in that case would have
contained these warnings?

	"skipping Path element (N) with empty name attribute"

Once it skips the leading slash, it should see an empty name and warn you.
  



I do have one "skipping Path element..."  once  in native.log:



...

2009-04-22 12:05:36 INFO Shibboleth.Config : building RequestMapper of
type Native...

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : no resource
uri/path/name supplied, will load inline configuration

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : loading inline
configuration...

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property
applicationId (default)

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property name
(bidon.it-sudparis.eu)

2009-04-22 12:05:36 WARN Shibboleth.RequestMapper : skipping Path
element (1) with empty name attribute

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for http://bidon.it-sudparis.eu

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for http://bidon.it-sudparis.eu:80

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for https://bidon.it-sudparis.eu

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for https://bidon.it-sudparis.eu:443

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property
applicationId (trombi)

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property name
(trombi.it-sudparis.eu)

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property
requireSession (false)

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for http://trombi.it-sudparis.eu

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for http://trombi.it-sudparis.eu:80

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for https://trombi.it-sudparis.eu

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for https://trombi.it-sudparis.eu:443

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property
applicationId (annu)

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property name
(annu.it-sudparis.eu)

2009-04-22 12:05:36 DEBUG Shibboleth.PropertySet : added property
requireSession (false)

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for http://annu.it-sudparis.eu

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for http://annu.it-sudparis.eu:80

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for https://annu.it-sudparis.eu

2009-04-22 12:05:36 DEBUG Shibboleth.RequestMapper : Added <Host>
mapping for https://annu.it-sudparis.eu:443

2009-04-22 12:05:36 INFO Shibboleth.SessionCache : cleanup thread
started...run every 900 secs; timeout after 900 secs

...






  
I'll add something to the documentation about it.

  

  

    
By removing the element "<Path name="/"authType="shibboleth"
requireSession="false"></Path>" and moving up the
applicationId="annu" from the Path element to the Host element, then it
worked fine.
    

  

  
Yes, that's where it belongs.

  

  

    
I cannot tell for sure if this is the right way to do it, but a least it
now work for me.
    

  

  
It is.

  

  

    
It isn't clear from
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHost
or maybe an other page ? where to set the applicationId, in the Host
element, or in the Path ?
    

  

  
Where to set it depends on what you want to accomplish, which is one reason
I guess that the two examples Nate did on the Application topic show the two
different ways it typically gets done.
  



OK, I'll check that thourougthly next time,

thanks .



  
-- Scott


  









Scott Cantor
unread,
Apr 22, 2009, 11:55:16 AM4/22/09
to jehan.p...@it-sudparis.eu, shibbole...@internet2.edu
jehan procaccia wrote on 2009-04-22:
> I thought my case was correponding to the second example
> "This other example shows the shibboleth.xml where the additional
> application is on the same host but uses a different entityId..."
> example which defines a Path element containing the "applicationId="other-
> app" " which caused me the "unacceptable AudienceRestrictionCondition" ...
> but I might have choose the wrong example.
I would say so, yes. I'll change it to say "virtual host" instead of "host".
> I do have one "skipping Path element..."  once  in native.log:
So, apparently people aren't getting this, as this has been going on for a
while.
YOU CANNOT IGNORE WARNINGS. EVER.
If you see a warning, you'd better either understand what it means and that
it's expected, or fix it. Ignoring it isn't an option.
-- Scott

Reply all
Reply to author
Forward
0 new messages