shib-apache.conf

<VirtualHost *:80>

  LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so
  ShibCompatValidUser On
  UseCanonicalName On
  DocumentRoot "/var/www/html"

  PassEnv APACHE_SERVERNAME
  ServerName "${APACHE_SERVERNAME}"

  <Location "/Shibboleth.sso">
    SetHandler shib
  </Location>

  # Internally redirected to here. Rewrite for proper relaystate in shib
  <Location /secure>
    <If "-n req('Authorization')">
      Require valid-user
      AuthType Basic
      AuthBasicProvider file
      AuthName "/secure"
      AuthUserFile /run/secrets/BASIC_AUTH_USERS_AUTH
    </If>
    <Else>
      RewriteEngine On
      RewriteCond %{HTTP:X-Forwarded-Uri} ^(.*)$ [NC]
      RewriteRule ^.*$ %1 [PT]
    </Else>
  </Location>

  # Match renderer services
  <LocationMatch "^/(admin|ows|opensearch)">
    RewriteEngine On
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require shib-plugin /etc/shibboleth/pass-ac.xml
    RewriteRule ^.*$ - [R=200]
  </LocationMatch>

  # Match everything not above like /cache or the client
  <LocationMatch "^(?!/(Shibboleth.sso|secure|admin|ows|opensearch))">
    RewriteEngine On
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require shib-plugin /etc/shibboleth/pass-ac-cache.xml
    RewriteRule ^.*$ - [R=200]
  </LocationMatch>

</VirtualHost>