Delegated Auth with

Cantor, Scott cantor.2 at
Wed Nov 2 16:31:17 GMT 2011

On 11/2/11 12:10 PM, "Eric Dalquist" <eric.dalquist at> wrote:

>We had it working about a year ago but never rolled it out passed test
>environments. When we got it working I think we were on 2.3.1 for the SP
>and 2.2.1 for the IdP. We're on 2.4.3 for the SP and 2.3.2 for the IdP

The SP has a bug when you use the new <SSO> syntax, but you're not doing
that here, so the ECP support is basically the same as it was.

>Just out of curiosity, what version of the SP is that
>site running?

2.4.2 apparently.

> Any tips for things we should look for in our Apache
>config that could be preventing the headers from getting passed to the SP?

I have to think they're getting broken out ahead of it. All you could
probably do there is try and log them, maybe, or dump them out with a test
script to see if it sees them.

The code doesn't "fall back" to non-ECP if the headers are there. I just
checked that specifically. There are various errors it will throw out if
it thinks it's an ECP client and then finds anything wrong, so the problem
should be with the headers.

-- Scott

More information about the users mailing list