Clever Geek Handbook

SSO-plus-SSL and Shibboleth: What are the options for sites with multiple virtual hosts?

Background: Client X is a low budget non-commercial hardware that nevertheless has a lot of activity configured on virtual hosts, and virtual hosts proliferate very often. Client X also has many users and is interested in bringing them to a single solution. This way, all users can use the same credentials on all virtual hosts.

It has also been mandated that we use [Shibboleth Single-Sign-on] ( http://en.wikipedia.org/wiki/Shibboleth_(Internet2) to handle authentication.

Problem: Shibboleth SSO uses SSL as part of their protocol, but getting multiple virtual hosts to use SSL is not a walk in the park. This question about virtual hosts with SSL data are some of the pitfalls .

Question . What is the best way to proceed with this scenario (summary):

  • multiple virtual hosts on apache
  • setting up a separate IP and network adapter for each virtual host is almost not an option
  • SSL pretty much requires a separate IP
  • they all need some kind of SSO
  • we are under heavy pressure to use Shibboleth as a single sign-on provider.

Is there something we can lose here or somehow resolve this without requiring a separate IP address for all vhosts?

+1


source to share


2 answers


I have a client with the same situation and the way they decided is to buy the wildcard domain * .example.com and have a specific subdomain for all virtual hosts on example.com to work around this issue.



It was with Shibboleth and it worked, although you need host domains to agree to be under the same parent domain for SSO.

+2


source


If the data that you exchange with this site (service provider) is not security sensitive, you can simply disable SSL to access the site.

There are two SSL channels we are talking about.

  • used when SP communicates with IDP
  • different access to the site


Only the latter should be "well known" (which you will have to pay for).

HTTP artifacts can be used to avoid sending POST data from idp (which is SSL protected) to an SP that is not. This way you can avoid browser security warnings.

This setting still protects the user's credentials. The data that you exchange with the site will not be.

+1


source






More articles:


All Articles