Further IDP and Firefox Security Warning Message Questions
Christopher Bongaarts
cab at umn.edu
Wed Aug 3 16:02:54 BST 2011
Peterson, Tommy wrote:
> I saw the discussion over the last few days about this and the advice
> involving artifacts etc. However, I was wondering if you could provide
> me more details on the suggested Tomcat configuration for the IDP where
> this is related.
>
>
>
> I never had this issue until we moved to the server with the load
> balancer, external domain names, and real SSL certificates.
>
>
>
> The process goes like this:
>
>
>
> 1) I access this page:
>
> http://(mydomain)/drupal (no ssl or cert)
>
>
>
> 2) The click “Log in” and the browser shows that URL changing to
Be careful - the address bar may not be in sync with what requests are
actually active. The Liveheaders Firefox extension is useful for seeing
exactly what URLs you are hitting.
> https://(myIDPsdomain):8443/idp/Authn/UserPassword (ssl and cert and
> shows tomcat favicon illuminate)
In a normal install, I'd expect that to go to the standard port 443, not
8443.
> On the Shibboleth web site it says to configure the Tomcat server.xml
> file as follows:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> SSLEnabled="true"
> scheme="https"
> clientAuth="true"
> keystoreFile="IDP_HOME/credentials/idp.jks"
> keystorePass="PASSWORD"
> SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
> />
>
>
>
>
>
> But to avoid getting a blank white page in step 2 and 3 above (or even
> if I just try to get the Tomcat admin page by accessing
> http://(myIDPdomain):8443 with no errors in the Tomcat or IDP logs) I
> have had to adjust the above to
That's part of your problem - you're fixing the symptom, not the
underlying problem. The problem is that you're being sent to port 8443,
when you shouldn't be (8443 is the backchannel port for things like
SAML1 attribute queries, which is only connected to by SPs, not clients).
This might be as simple as fixing your IdP's metadata to use the correct
ports for the SSO endpoint, but having the wrong port in there might in
turn be a symptom of some other configuration problem.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list