Hi
I may be the last person in the world to have sussed this out, but in case I'm not here are the results of todays "tearing my hair out", I may be significantly balder, but I'm also quite happy to have got to the bottom of this.
I'd forgotten this was still a problem until starting to roll out the SP in earnest. I expect everyone has noticed that if you go to:
https://mymachine.mysite.ac.uk/Shibboleth.sso/Metadata then all of your metadata URLS are https:// e.g.
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.wibblywobbly.co.uk/Shibboleth.sso/SAML2/POST" index="1"/>
But if you go to
http://mymachine.mysite.ac.uk/Shibboleth.sso/Metadata
all of the urls start http://
This is fine and you can stick either set of metadata into your local-metadata.xml file but, if you got the metadata with https:// then you can only go to the particular host with https and vice versa.
You get the Error Message: "No peer endpoint available to which to send SAML response" otherwise.
To get around this until I could work out what "I'd done wrong" I just stuck both forms into the local metadata and forgot about it. This was fine with toy IdPs but now its real machines it just didn't seem right.
Well it seems I may not have done anything wrong. I finally tracked down a discussion that had taken place in November: http://shibboleth.1660669.n2.nabble.com/SP-metadata-in-http-and-or-https-td4058224.html where one argument seems to be that you should never run your web site in http:// anyway, but that just isn't an option we have with _other peoples web servers_ we're trying to protect. Thankfully the person asking did find a solution: In the "<Sessions" section of shibboleth2.xml you put
handlerSSL="true"
and this forces all of the Shibb traffic over SSL, thereby simplifying your metadata requirement. I was puzzled I'd never found this documented anywhere before. BUT I did eventually find it... in the Shibboleth 1 documentation: https://spaces.internet2.edu/display/SHIB/SPProtectionConfig :
"handlerSSL : If true , requests for the session initiators associated with this application will force sessions over SSL. This is should be set true when applications are hosted over http:// , and is also useful in situations where the web server is providing improper schema information to Shibboleth."
Is there some much more obvious way of doing this that I've missed?
Cheers
Andy
************************************************************
Please consider the environment. Do you really need to print this email?
The University of Dundee is a registered Scottish charity, No: SC015096
|