我正在尝试配置一个新的基于Shibboleth的SP,它将通过我的SAML iDP(Duo Access Gateway)进行身份验证。
My Shibboleth SP在基于IIS的反向代理后面运行,该代理将URL重写到SP。 SP和Shibboleth本身在Windows Server上的Apache上运行。
此配置的问题在于我的SP(Shibboleth)认为它正在运行,让我们称之为" sp.mycompany.com"。但是我的iDP将断言传递给反向代理地址" proxy.mycompany.com"然后将请求重写为" sp.mycompany.com"。这导致Sibboleth将错误" SAML消息与POST一起发送到错误的服务器URL"给用户,并记录错误的" POST定位于(https://proxy.mycompany.com/Shibboleth.sso/SAML2/POST),但是传递给(http://sp.mycompany.com/Shibboleth.sso/SAML2/POST)"在Shibd日志中。
我一直在搜索,但只找到适用于不同情况的修复程序,而不是我的。
编辑:下面添加了反向代理配置
`<configuration>
<system.webS<rewrite>
<outboundRules>
<clear />
<rule name="Duo" enabled="true" stopProcessing="true">
<match filterByTags="None" pattern="^Shibboleth.sso/(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
<action type="Rewrite" value="https://proxy.mycompany.com/{R:0}" />
</rule>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" enabled="true">
<match filterByTags="A, Form, Img" pattern="^http(s)?://sp.mycompany.com/(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="true" />
<action type="Rewrite" value="http{R:1}://proxy.mycompany.com/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<clear />
<rule name="Duo" enabled="true" stopProcessing="true">
<match url="^dag/(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="https://duo.mycompany.com/{R:0}" appendQueryString="true" logRewrittenUrl="true" />
</rule>
<rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<action type="Rewrite" url="http://sp.mycompany.com/{R:1}" logRewrittenUrl="true" />
</rule>
</rules>
<rewriteMaps>
<rewriteMap name="test" />
</rewriteMaps>
</rewrite>
<httpRedirect enabled="false" destination="https://proxy.mycompany.com/dag" />
</system.webServer>
</configuration>`