* Adrian Barker <[log in to unmask]> [2009-08-11 14:52]:
> We are setting up some applications that run on Apache virtual
> servers and that use Shibboleth. Does anyone know what needs to be
> changed in the SP configuration or in the metadata ? I've not been
> able to find any documentation on this.
This depends on the use case. E.g. if these applications can share a
single entityId (i.e. they have the same attribute requirements, since
the entityId is how the IdP tells them appart), you don't need to
change the shib config at all, only the metadata for the IdPs.
(Note that I only did this myself with Shib 2.x on both sides).
Just make sure each Apache httpd VirtualHost knows its own ServerName
(cf. eponymous httpd directive) and has `UseCanonicalName On`. Then
create additional protocol endpoints in the metadata discribing this
SP (for each host name), so that each vhost has it's own handlerURL
/Shibboleth.sso/... entries.
When accessing a protected resource on one of the vhosts, the
AuthnRequest from the SP tells the IdP which entityId this is for and
which ACS URL it wishes replies to be sent (this is where the vhost
comes into play), which the IdP then checks against the metadata
describing that entity.
If the applications need to differ in their attribute requirements you
could create a seperate entityId for each vhost (either sharing the
same credentials as all the other vhosts/entiyIds on that host, or
each with a seperate set of credentials). When sharing the same
credential, there again should be no config necessary on the shib
side, only metadata.
-peter
|