From UK Federation Information Centre

Documents: IdPToTwoPorts

Converting an IdP to use separate ports

Background

Some IdP installations use the same hostname and port combination both for browser communication (SSO) and for attribute query (AA and Artifact). This is quite a 'brittle' configuration but it does require less work at the firewall.

However, a recent vulnerability in SSL has resulted in a patch to some dependent libraries being issued. An IdP which relies on single host/port operation will cease to work when it encounters this patch, whether the patch is installed on the IdP or on the SP it is communicating with.

This document describes how to reconfigure such IdPs to use the more traditional configuration of separate ports for browser access and AA or Artifact. This is a three part operation. In the first part the IdP is configured to listen on both ports, then the metadata is changed, instructing the SPs to use the new port. After a suitable delay to allow the metadata to fully propagate, the old connection may be removed from the configuration.

Preliminaries

Ensure that the port designated for AA and Artifact is open at any firewalls protecting the IdP server. This is usually 8443 (as used in the examples below).

Adding the new port – Apache httpd

Locate and edit the SSL configuration file for your Apache httpd configuration. Within the file locate the <VirtualHost> directive for the 443 port and within that the <Location> directive for the AA (and the one for the Artifact, if it exists).

 <VirtualHost _default_:443>
     [...]
     SSLCertificateFile "/path/to/file.crt"
     SSLCertificateKeyFile "/path/to/file.key"
     SSLCertificateChainFile "/path/to/CACert.crt"
     [...]

     ProxyPass /shibboleth-idp/ ajp://localhost:8009/shibboleth-idp/

     <Location /shibboleth-idp/AA>
         SSLVerifyClient optional_no_ca
         SSLVerifyDepth 10
     </Location>

     <Location /shibboleth-idp/Artifact>
         SSLVerifyClient optional_no_ca
         SSLVerifyDepth 10
     </Location>

     [...]
 </VirtualHost> 

Note: This is for a Shibboleth 1.3 IdP. For 2.0 the path will probably be /idp/ and there may be more <Location> directives. Equally, depending on your configuration, the <Location> and ProxyPass directives may be outside the <VirtualHost> directive.

• If ProxyPass is inside the <VirtualHost> directive then move it outside.
• Add a new <VirtualHost> directive for the new port (8443). This can be a copy of the 443 one.
• Remove the <Location> statements from the 8443 <VirtualHost>.
• Add the two lines SSLVerifyClient optional_no_ca and SSLVerifyDepth 10 to the 8443 <VirtualHost>.
• Find the line which instructs Apache to listen on the 443 port and add a line to listen on port 8443.

 Listen 443
 Listen 8443 

The complete recommended Apache httpd configuration may be found here. This is the same for Shibboleth 1.3 and Shibboleth 2.x IdPs using Apache httpd, except for the difference in path mentioned above.

• Test that the configuration is correct (using the -t qualifier to httpd).
• If all is OK restart the apache httpd service.

Configuring the IdP for the new port (1.3 only)

Note: Shibboleth 2.x does not check the ports and hence needs no changes.

Edit the file configuration file etc/idp.xml and change the regexp associated with the AA and Artifact ports to include the new port. For instance:

 <ProtocolHandler
     implementation="edu.internet2.middleware.shibboleth.idp.provider.ShibbolethV1SSOHandler">
     Location>https?://[^:/]+(:(443|80))?/shibboleth-idp/SSO</Location> 
 </ProtocolHandler>
 <ProtocolHandler
     implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_AttributeQueryHandler">
     <Location>https://[^:/]+(:(443|8443))?/shibboleth-idp/AA</Location>
 </ProtocolHandler>
 <ProtocolHandler
     implementation="edu.internet2.middleware.shibboleth.idp.provider.SAMLv1_1ArtifactQueryHandler">
     <Location>https://[^:/]+(:(443|8443))?/shibboleth-idp/Artifact</Location>
 </ProtocolHandler>
 <ProtocolHandler
    implementation="edu.internet2.middleware.shibboleth.idp.provider.Shibboleth_StatusHandler">
    <Location>https://[^:/]+(:443)?/shibboleth-idp/Status</Location>
 </ProtocolHandler>  

Note: you should leave the SSO and Status end points untouched.

Change the AAUrl attribute in the <IdpConfig> element to point to the new port:

  AAUrl="https://idp.mysite.ac.uk:8443/shibboleth-idp/AA" 

Restart Tomcat and httpd.

You are now running with both ports enabled.

Change your metadata

You should contact UK Federation support to get your metadata changed. Once the change has been made retest, firstly against the Federation test site at https://sh2testsp1.iay.org.uk/index.html (testing the default as well as the explicit SAML1 artifact and POST profiles). If this works you should test with the failing SP.

Removing the old support

This should be done several weeks after the metadata change has been propagated.

• Remove any <Location> statements to do with special casing the AA and Artifact ports from the SSL configuration for httpd.
• (1.3 only) Remove the 443 listeners from the declaration of the AA and Artifact endpoints in etc/idp.xml.