Virtual hosting issues with Shibboleth

Simple web servers just implement a single web site that is addressed by a single host name (often that assigned to the computer on which the site's web server runs). The example Shibboleth configurations provided are largely targeted at servers like this.

However more complicated web servers will serve multiple web sites from a single machine, with sites being selected either by name or based on the IP address and/or port used to connect to them. Some web servers may operate in 'clusters' for greater throughput and some will operate behind front-end systems which might also take responsibility for terminating SSL network connections.

The Internet2 Shibboleth software is very configurable and it should be possible to get it to work in most situations. However configuration work will be required (mainly in the shibboleth2.xml file) and, given the range of possible requirements, it's difficult to give cookbook examples of what to do. A careful reading of the Internet2 documenation starting at

 https://spaces.internet2.edu/display/SHIB2/NativeSPConfiguration

is likely to be required; past traffic on the SHIBBOLETH-USERS mailing list can also be a useful resource, as can the list itself if all else fails (though do check its archives before jumping in).

For a fairly straightforward machine implementing multiple virtual hosts that all require similar authentication nd authorisation services, areas of shibboleth2.xml that may need attention include:

• (For IIS only) The <ISAPI> element of the <InProcess> element which will need additional mappings of IIS's internal ids to the host names, schemes, and ports used by the various virtual hosts.
• The RequestMapper will need appropriate <ReqestMap>s to map incoming requests onto appropriate 'Application IDs'
• 'Application ID's then need to be mapped into apropriate configurations using the <ApplicationDefaults> element and perhaps one or more <ApplicationOverride> elements.