[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: kubernetes set up shibboleth SP
From: jimmi4u via users <users () shibboleth ! net>
Date: 2023-05-28 22:22:17
Message-ID: b00048d7-92d7-56b1-5a82-ab28b52c41bb () gmx ! at
[Download RAW message or body]
Hi folks,
I have some questions regarding the config of apache and shib in this
scenario:
two pods in a k3s cluster running:
shibboleth SP with apache on rocky8 (running on port 443)
shib.conf has default settings:
LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
ShibCompatValidUser Off
<Location /shibboleth/Shibboleth.sso>
AuthType None
Require all granted
ShibRequestSetting relayState /admin/ #not working
</Location>
<IfModule mod_alias.c>
<Location /shibboleth-sp>
AuthType None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>
<Location /secure>
AuthType shibboleth
ShibRequireSession On
ShibRequestSetting requireSession 1
require valid-user
</Location>
shibboleth2.xml is configured and already registered to the idP (in my
case jagger) and availilble through
https://survey.com/shibboleth/Shibboleth.sso (through handlerURL =
/shibboleth/Shibboleth.sso)
limesurvey with apache on rocky9 (running internal on port 80) and
availible on https://survey.com/ (through Ingressroute which is
appending the tls)
My questions (where I didn't find answers)
- what is best practice:
- deploy shib-sp in a pod (good separation to limesurveys pod)
- deploy as sidecar to limesurvey (same network and shared volumes)
- deploy directly in limesurvey (like baremetal)
- what is the apache configuration for the limesurveys pod when
running as sepparate pods, when securing just /admin/ (limesurvey is
appending a "/" at the end)? should I do proxypass and proxyreverse or a
rewrite? (I know they are similar but is there a best practice regarding
to shib?
is forwarding to Shibboleth.sso through an Ingressroute a good idea?
I configured traefik over an IngressRoute to forward to shib-sp:
IR:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: limesurvey-shib
namespace: limesurvey
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/affinity: "true"
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/preserve-host: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
routes:
- kind: Rule
match: Host(`survey.com`) && PathPrefix(`/admin/`)
services:
- name: limesurvey
namespace: limesurvey
port: 80
middlewares:
- name: shibboleth-auth
tls:
secretName: acme-dns
MW:
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: shibboleth-auth
namespace: limesurvey
spec:
forwardAuth:
address: https://survey.com/shibboleth/Shibboleth.sso/Login
trustForwardHeader: true
- how to get the Location secured? in the limesurevey pod there is no
shibboleth installed so I can't do "AuthType shibboleth"
Now, when a user gets to the /admin/ page he's being forwarded to
/shibboleth/Shibboleth.sso/Login and after a succesfull login with a
resulting shib cookie he's redirected to survey.com which is not the
desired option. He should be redirected to /admin/. So I suppose that
the relay is somehow not working, also the location in the POST answer
is set to https://survey.com... I think I have to deal with the idP...
and fnal question: do u know what to set inside the idP (saml consumer?)
I appreciate your help!
jim
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic