> i have a vague memory of ian young saying that the way the uk
> federation dos signing means it is advisable  to front tomcat with
> apache. I could be wrong though as my vague memories are not reliable.

Ian can (and will!) rebut me here but I'd imagine that this was before we
developed the code which made it possible to deal with arbitrary signed
certs in tomcat.

> Certainly as Andy says it fronting tomcat with apache is easy to do

Well that's me outvoted then.  I'm one of those people who are more
comfortable with Tomcat only rather than Httpd.  But you see I don't have to
use Httpd for very much (so it scares me) and I do use Tomcat a fair bit.

One thing I will do is to plead with people to *NOT* deploy their SOAP (Shib
facing) end points on the same port as the browser facing end points.
Please use separate ports (8443/443).  This kind of set up has always been
very brittle even when Apache was "fixed" in 2.2.  You may think you can
make it work but how long will stay up for and I still remember the stress
of the last two fire drills...

Rod


> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of caleb racey
> Sent: 15 January 2010 14:07
> To: [log in to unmask]
> Subject: Re: IdP 2 Preferred installation
> 
> i have a vague memory of ian young saying that the way the uk
> federation dos signing means it is advisable  to front tomcat with
> apache. I could be wrong though as my vague memories are not reliable.
> 
> Certainly as Andy says it fronting tomcat with apache is easy to do and
> helps with simplicity. Both our shib2 idps are fronted with apache
> httpd. Ideally i would have liked a tomcat only install for simplicity
> but fronting with httpd actually made it easier.
> 
> 
> Regards
> 
> Cal
> 
> 
> 
> 
> 
> 
> 
> >-----Original Message-----
> >From: Discussion list for Shibboleth developments [mailto:JISC-
> >[log in to unmask]] On Behalf Of Andy Swiffin
> >Sent: 15 January 2010 11:38
> >To: [log in to unmask]
> >Subject: Re: IdP 2 Preferred installation
> >
> >>>> On 15/01/2010 at 11:08, in message
> ><[log in to unmask]>,
> Pete
> >Lettin
> ><[log in to unmask]> wrote:
> >> That's the one I was working from but it doesn't tell you that you
> >need to
> >> either configure tomcat to use/redirect port 443 or change the urls
> to
> >> https://idp-server.domain:8443/idp/shibboleth/... In shibboleth
> config
> >So that
> >> the SPs can connect to it.
> >
> >Yes, that was what I was thinking.    There are some other sites that
> >have documented this a bit better:
> >e.g.:
> > http://www.alaska.edu/oit/iam/active/idpinstall.pdf
> >
> >But I still don't see the harm (and still do see the simplicity) of
> >fronting it with apache.
> >
> >>
> >> Also authentication is very poorly documented. (I still haven't got
> it
> >> working with AD)
> >
> >you're not falling foul of the old referrals problem are you?  Check
> out
> >the archives from a while back (oct 08, sep 08, may 09) although I
> think
> >they all refer to to shib 1.   I think most AD people go to the global
> >catalog to do authentication on port 3268 (if I remember right).
> >
> >There's some help at
> >https://spaces.internet2.edu/display/SHIB2/IdPADConfigIssues too.
> >
> >HTH (but I'm not really an AD man though)
> >Andy
> >
> >
> >
> >The University of Dundee is a registered Scottish charity, No:
> SC015096