shibboleth-spで複数ホスト運用
SPのshibdの設定でApplicationOverrideを使うと複数のホストを運用できます
https://spaces.internet2.edu/display/SHIB2/NativeSPApplicationOverride
ApplicationOverrideでサイトごとに
サーバ証明書や提供したい情報の制限や環境変数名やIdPを変えれるので便利です
以下の情報は単なる"オレはこうしてるぜ"的な情報で忘れないためのメモです(サーバ証明書だけoverride)
shibboleth2.xml抜粋
... <RequestMap applicationId="default"> <Host name="www1.example.net" authType="shibboleth" requireSession="true"/> <Host name="www2.example.net" applicationId="vhost1" authType="shibboleth" requireSession="true"/> </RequestMap> ... <ApplicationDefaults id="default" policyId="default" entityID="https://www1.example.net/shibboleth-sp" REMOTE_USER="eppn persistent-id targeted-id" signing="false" encryption="false"> <CredentialResolver type="File" key="/etc/pki/tls/private/www1.example.net.key" certificate="/etc/pki/tls/certs/www1.example.net.cer"/> <ApplicationOverride id="vhost1" entityID="https://www2.example.net/shibboleth-sp"> <CredentialResolver type="File" key="/etc/pki/tls/private/www2.example.net.key" certificate="/etc/pki/tls/certs/www2.example.net.cer"/> </ApplicationOverride> </ApplicationDefaults> ...
httpd.conf抜粋
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_22.so
...
<VirtualHost 192.0.2.1:443>
ServerName www1.example.net
...
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/www1.example.net.cer
SSLCertificateKeyFile /etc/pki/tls/private/www1.example.net.key
...
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
</VirtualHost>
<VirtualHost 192.0.2.2:443>
ServerName www2.example.net
...
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/www2.example.net.cer
SSLCertificateKeyFile /etc/pki/tls/private/www2.example.net.key
...
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
</VirtualHost>
