The Apache Server document could be updated to clarify a few things with regards to load balanced web sites and multiple web virtual hosts.
For load balanced sites that use host specific key/certificate pairs then there needs to be a metadata file for each web server with a unique EntityID, because of the different certs
For web servers providing multiple web vhosts a global mellon.conf doesn’t work for all of the sites. Each vhost that needs to use SAML auth will need their own mellon.conf that specifies the site specific MellonSPMetadataFile and Endpoint URL
My setup:
Load Balanced Web Servers
web1-co-dmz
web2-co-dmz
Web Virtual Hosts, configured on each web server
vhost1.com
vhost2.com
Multi-Domain Certificate that includes both names. Each server has its own private key certificate pair.
For the EntityIDs I used the following:
entityID="https://vhost1.com_web1”
entityID="https://vhost1.com_web2”
entityID="https://vhost2.com_web1”
entityID="https://vhost2.com_web2"
I wound up creating two mellon.conf files in /etc/httpd/conf/saml2 on each web server.
web1-co-dmz:/etc/httpd/saml2/https_vhost2.com_web1.xml
web1-co-dmz:/etc/httpd/saml2/https_vhost1.com_web1.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost2.com_web2.xml
web2-co-dmz:/etc/httpd/saml2/https_vhost1.com_web2.xml
I then added an Include to each web vhost configuration, example:
vhost1.v-vhost.conf: Include saml2/www_mellon.conf
vhost2.com-vhost.conf: Include saml2/data_mellon.conf
I hope that helps
No comments:
Post a Comment