Further IDP and Firefox Security Warning Message Questions

Christopher Bongaarts cab at umn.edu
Wed Aug 3 16:02:54 BST 2011 

Peterson, Tommy wrote:
> I saw the discussion over the last few days about this and the advice 
> involving artifacts etc. However, I was wondering if you could provide 
> me more details on the suggested Tomcat configuration for the IDP where 
> this is related.
> 
>  
> 
> I never had this issue until we moved to the server with the load 
> balancer, external domain names, and real SSL certificates.
> 
>  
> 
> The process goes like this:
> 
>  
> 
> 1)      I access this page:
> 
>  http://(mydomain)/drupal (no ssl or cert)
> 
>  
> 
> 2)      The click “Log in” and the browser shows that URL changing to

Be careful - the address bar may not be in sync with what requests are 
actually active.  The Liveheaders Firefox extension is useful for seeing 
exactly what URLs you are hitting.

> https://(myIDPsdomain):8443/idp/Authn/UserPassword (ssl and cert and 
> shows tomcat favicon illuminate)

In a normal install, I'd expect that to go to the standard port 443, not 
8443.


> On the Shibboleth web site it says to configure the Tomcat server.xml 
> file as follows:
> 
> <Connector port="8443"
>            protocol="org.apache.coyote.http11.Http11Protocol"
>            SSLEnabled="true"
>            scheme="https"
>            clientAuth="true"
>            keystoreFile="IDP_HOME/credentials/idp.jks"
>            keystorePass="PASSWORD"          
>           SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" 
> />
> 
>  
> 
>  
> 
> But to avoid getting a blank white page in step 2 and 3 above (or even 
> if I just try to get the Tomcat admin page by accessing 
> http://(myIDPdomain):8443 with no errors in the Tomcat or IDP logs) I 
> have had to adjust the above to

That's part of your problem - you're fixing the symptom, not the 
underlying problem.  The problem is that you're being sent to port 8443, 
when you shouldn't be (8443 is the backchannel port for things like 
SAML1 attribute queries, which is only connected to by SPs, not clients).

This might be as simple as fixing your IdP's metadata to use the correct 
ports for the SSO endpoint, but having the wrong port in there might in 
turn be a symptom of some other configuration problem.

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list