When multiple websites hosted on the same server and sites are configured with Shibboleth Service Provider(SP) for authentication, all shibboleth protected sites have same session behavior, for example, same entityID, same timeout values. What if one site or a directory of a site needs different session behavior? For example, only a directory of a site need to support GuestID login. By default, guestID login is not allowed. In order to grant guestID access, Shibboleth Identity Provider(IDP) need to be configured to allow guestID login to your SP. The IDP configuration is based on SP's entityID. If you only want to enable guestID login to a site or a directory of a site, but not other sites on the same server, applicationOverride can be used to achieve that. Reference ApplicationOverride. Example below shows how to define a new entityID for a directory and how to use new entityID.

  • Edit shibboleth2.xml: add <ApplicationOverride ..> block inside <ApplicationDefault ..>
ApplicationOverride
<ApplicationDefaults entityID="xxx" ... >
...
...
	<ApplicationOverride id="allowGuestID" entityID="https://mysite2.cit.cornell.edu/shibboleth">
		<Sessions lifetime="3600" timeout="3600" checkAddress="false" handlerSSL="true"
              cookieProps="https" handlerURL="/myguestidLocation/Shibboleth.sso">
        </Sessions>
	</ApplicationOverride>

</ApplicationDefaults>

Note: If you define ApplicationOverride for an entire website, it can use default handler URL location. You should remove handerURL define from this example.


  • Edit apache config to use ApplicationOverride
Apache configuration
<Location /myguestidLocation>
AuthType  shibboleth
ShibRequestSetting applicationId allowGuestID
...
</Location>
  • No labels