1. 技术文章
  2. OKTA(IdP) - Shibboleth(SP) with reverse proxy to Tomcat

OKTA(IdP) - Shibboleth(SP) with reverse proxy to Tomcat

℡╲_俬逩灬. 提交于 2019-12-11 15:46:10

问题


I am spinning a big wheel now. please shed some light. Reverse proxy is working with Apache. So, when I access https://hostname/app/default.html, it opens Tomcat app url. No issue.

The tomcat app currently redirects to https://hostname/app/login.html which has a login box.

1) Do I need to disable UserDatabase on Tomcat server.xml ? 

<Resource name="UserDatabase" auth="Container"
          type="org.apache.catalina.UserDatabase"
          description="User database that can be updated and saved"
          factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />

2) Is this Shibboleth configuration correct ? But, when I try configure this with OKTA- Shibboleth(3.0), it's looping OKTA SSO url.

In shibboleth2.xml

<ApplicationDefaults id="default" 
                         entityID="https://hostname/shibboleth-sp" 
                         REMOTE_USER="userid" >
   <SSO entityID="http://www.okta.com/~~~~">

OKTA's metadata is downloaded and located with shibboleth2.xml file. cert is also generated and placed in the same folder.

3) Is this OKTA configuration correct ? In OKTA widget configuration menu, 

- Single sign on url :https://hostname/Shibboleth.sso/SAML2/POST
- recipient url : https://hostname/Shibboleth.sso/SAML2/POST
- destination url :https://hostname/Shibboleth.sso/SAML2/POST
- audience restriction :https://hostname/shibboleth-sp  <-- above SP entityID
- default relay state : ??

right now, when I click on the widget on OKTA, it's looping. 

https://hostname/Shibboleth.sso/SAML2/POST

contains SAML response.

then, it redirects to OKTA SSO url. It never ends. 

https:// xxx.oktapreview.com/app/xx_reverse_proxy_/xxxx/sso/saml?SAMLRequest=~~~&amp;RelayState=~~~

This contains SAML request but it looks like this. 

<samlp:AuthnRequest 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
AssertionConsumerServiceURL="https://hostname/Shibboleth.sso/SAML2/POST" 
Destination="https://okta sso/sso/saml" 
ID="xx" 
IssueInstant="2018-11-02T15:39:24Z" 
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
Version="2.0">
<saml:Issuer 
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://hostname/shibboleth-sp
</saml:Issuer>
<samlp:NameIDPolicy 
    AllowCreate="1"/>

Is this Issuer url correct? Why is it looping and how to fix ?


回答1:


Re Q#1: You only need Tomcat users if you're going to protect an application with it, such as the Tomcat manager. Otherwise, no.

Re Q#2: You list <SSO entityID="http://www.okta.com/~~~~"> but Destination="https://okta sso/sso/saml" from the SAML. You might want to check http/https. This is a very common cause of looping. Eliminate any potential http/https inconsistency.

FWIW Issuer looks correct to me... that's what you specify in entityID="https://hostname/shibboleth-sp"



来源:https://stackoverflow.com/questions/53124620/oktaidp-shibbolethsp-with-reverse-proxy-to-tomcat

标签
saml
okta
shibboleth
sp
idp
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!