Shibboleth - Service Provider protect resource on different server

Question

I have two servers - Server A and Server B, each with their own public IP address.

Server A hosts my production web application:

http://client1.mydomain.com
http://client2.mydomain.com
http://client3.mydomain.com

Server B hosts my Shibboleth Service Provider instance:

http://sso.mydomain.com

I have successfully configured Shibboleth to protect a resource on Server B, but I'm wondering, is it possible to have it protect resources on Server A? (ie. have the Shibboleth service step in front of any requests going to client2.mydomain.com)

Here's an excerpt from my shibboleth2.xml file:

This line works for Server B:

<Host name="sso.mydomain.com">
  <Path name="secure" authType="shibboleth" requireSession="true"/>
</Host>

This line does NOT work

<Host name="client2.mydomain.com applicationId="admin" authType="shibboleth" requireSession="true"/>

Am I doing it wrong? Is it even possible? If it's not possible, do I need to also set up a Shibboleth configuration in my staging and qa environments? That seems excessive.

Answer 1

See the Shibboleth docs: NativeSPOneMany - https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPOneMany

This directly addresses your question.

It's possible, but Server B has to act as a proxy for Server A, and no secured application traffic can flow directly from the client to Server A.