It took me a long time to debug why I couldn't run 2 apache virtual
host on the same SP
I took the exemple from
https://spaces.internet2.edu/display/SHIB2/NativeSPApplication
which contains perhaps ( I can be wrong) bad or wrongly placed
directives about the Path element ?
For serving two virtualhost (trombi and annu) on my apache+mod_shib,
based on the doc NativeSPApplication
<https://spaces.internet2.edu/display/SHIB2/NativeSPApplication> , I
ended up in my shibboleth2.xml with that
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="bidon.it-sudparis.eu">
<Path name="/" authType="shibboleth"
requireSession="false"> </Path></Host>
<Host name="trombi.it-sudparis.eu">
<Path name="/" authType="shibboleth"
requireSession="false" applicationId="trombi"></Path></Host>
<Host name="annu.it-sudparis.eu">
<Path name="/" authType="shibboleth"
requireSession="false" applicationId="annu" ></Path></Host>
</RequestMap>
</RequestMapper>
which didn't worked, I always had the error "Assertion contains an
unacceptable AudienceRestrictionCondition"
shibd.log
2009-04-03 13:15:48 ERROR OpenSAML.AssertionValidator [6]: unacceptable
AudienceRestrictionCondition in assertion
(<saml:AudienceRestrictionCondition
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Audience>https://annu.it-sudparis.eu/</saml:Audience></saml:AudienceRestrictionCondition>)
2009-04-03 13:15:48 WARN Shibboleth.SSO.SAML1 [6]: detected a problem
with assertion: Assertion contains an unacceptable
AudienceRestrictionCondition.
By removing the element "<Path name="/"authType="shibboleth"
requireSession="false"></Path>" and moving up the
applicationId="annu" from the Path element to the Host element, then it
worked fine.
<Host name="annu.it-sudparis.eu" requireSession="false"
applicationId="annu"></Host>
(actually I completly removed the Path element)
I cannot tell for sure if this is the right way to do it, but a least it
now work for me .
It isn't clear from
https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHost
or maybe an other page ? where to set the applicationId, in the Host
element, or in the Path ?
thanks to reassure me and confirm me that I finally did it the right way.
Regards .
I don't see anything incorrect about them. One of them is showing two vosts
with separate applications and the other is showing one vhost with separate
applications.
> For serving two virtualhost (trombi and annu) on my apache+mod_shib,
> based on the doc NativeSPApplication
> <https://spaces.internet2.edu/display/SHIB2/NativeSPApplication> , I
> ended up in my shibboleth2.xml with that
Am I wrong in suggesting that your native.log in that case would have
contained these warnings?
"skipping Path element (N) with empty name attribute"
Once it skips the leading slash, it should see an empty name and warn you.
I'll add something to the documentation about it.
> By removing the element "<Path name="/"authType="shibboleth"
> requireSession="false"></Path>" and moving up the
> applicationId="annu" from the Path element to the Host element, then it
> worked fine.
Yes, that's where it belongs.
> I cannot tell for sure if this is the right way to do it, but a least it
> now work for me.
It is.
> It isn't clear from
> https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHost
> or maybe an other page ? where to set the applicationId, in the Host
> element, or in the Path ?
Where to set it depends on what you want to accomplish, which is one reason
I guess that the two examples Nate did on the Application topic show the two
different ways it typically gets done.
-- Scott
I took the exemple from https://spaces.internet2.edu/display/SHIB2/NativeSPApplication which contains perhaps ( I can be wrong) bad or wrongly placed directives about the Path element ?I don't see anything incorrect about them. One of them is showing two vosts with separate applications and the other is showing one vhost with separate applications.
For serving two virtualhost (trombi and annu) on my apache+mod_shib, based on the doc NativeSPApplication <https://spaces.internet2.edu/display/SHIB2/NativeSPApplication> , I ended up in my shibboleth2.xml with thatAm I wrong in suggesting that your native.log in that case would have contained these warnings? "skipping Path element (N) with empty name attribute" Once it skips the leading slash, it should see an empty name and warn you.
I'll add something to the documentation about it.By removing the element "<Path name="/"authType="shibboleth" requireSession="false"></Path>" and moving up the applicationId="annu" from the Path element to the Host element, then it worked fine.Yes, that's where it belongs.I cannot tell for sure if this is the right way to do it, but a least it now work for me.It is.It isn't clear from https://spaces.internet2.edu/display/SHIB2/NativeSPRequestMapHost or maybe an other page ? where to set the applicationId, in the Host element, or in the Path ?Where to set it depends on what you want to accomplish, which is one reason I guess that the two examples Nate did on the Application topic show the two different ways it typically gets done.
-- Scott
I would say so, yes. I'll change it to say "virtual host" instead of "host".
> I do have one "skipping Path element..." once in native.log:
So, apparently people aren't getting this, as this has been going on for a
while.
YOU CANNOT IGNORE WARNINGS. EVER.
If you see a warning, you'd better either understand what it means and that
it's expected, or fix it. Ignoring it isn't an option.
-- Scott