Delegated Auth with
Cantor, Scott
cantor.2 at osu.edu
Thu Nov 3 17:34:33 GMT 2011
On 11/3/11 1:19 PM, "Eric Dalquist" <eric.dalquist at doit.wisc.edu> wrote:
>We turned on mod_log_forensic and see the following for the request in
>the forensic log:
>
>+22677:4eb2cc10:13|GET /secure/printenv
>HTTP/1.1|Host:my-dev.doit.wisc.edu|Connection:Keep-Alive|Accept:applicatio
>n/vnd.paos+xml|PAOS:ver="urn%3aliberty%3apaos%3a2003-08";"urn%3aoasis%3ana
>mes%3atc%3aSAML%3a2.0%3aprofiles%3aSSO%3aecp"
Those constants are URL encoded. That isn't allowed, if that's literally
what it's seeing. I could add code to be permissive of course, but it
isn't there now, and the spec doesn't say anything about it being allowed.
You said the code you were using worked against the SP I suggested trying,
but it wouldn't work if the header looked like that.
>That seems to show the PAOS header coming through as expected. Is there
>any way to turn up logging for mod_shib and/or the SP so that it dumps
>out what it is seeing for headers?
It sees whatever Apache sees.
-- Scott
More information about the users
mailing list