Enabling ECP in SP 2.4.3
Chad La Joie
lajoie at itumi.biz
Sat Sep 10 12:36:53 BST 2011
A user-agent can make a request to any resource but part of configuring the SP is indicating which resources you want protected. The example configurations (and examples in the docs) protected the path '/secure'. But that's only an example. You could protect the whole site, just the login page, '/content' but not '/content/images' and '/content/css,'; whatever makes sense for your use case. I don't recall you saying which web server you're using so I can't tell you where exactly to look, but a good place to start in the documentation would be here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap
Chad La Joie
trusted identities, delivered
On Sep 10, 2011, at 7:24 AM, Tom Mitchell wrote:
> On Sep 9, 2011, at 8:31 PM, Cantor, Scott wrote:
>> On 9/9/11 8:16 PM, "Tom Mitchell" <tmitchel at bbn.com> wrote:
>>> Finally, I see the open bug (SSPCPP-371) with what amounts to the same
>>> information. I tried the additional suggestion by Scott Cantor (adding
>>> ECP="true") to the SSO tag and that doesn't seem to work.
>> Also does.
> You're right, it does.
>>> I am using two methods to test: the sample bash ECP client script
>>> (ecp.sh) on the Contributions wiki page, and manual testing using curl
>>> (based on ecp.sh and a cursory read of the relevant portion of the spec).
>>> What I see instead of an ECP-like response from my SP is the HTML
>>> redirecting to my discovery service.
>>> Any suggestions? Tips? Pointers?
>> Well, you're not sending the right HTTP headers, basically. If they're
>> sent, it will work.
> Actually, I think I was sending the right headers (Accept and PAOS), copied right out of the spec. But I was fetching the wrong URL. The example in the spec (Sec. 22.214.171.124) shows a fetch of "/secure/". I was trying to fetch an application page ("/secure/env.php"). Switching to "/secure/" allowed both my manual test and the ecp.sh script to work.
> Maybe I'm just not good at reading specs, but section 2.3.1 says "the client makes an arbitrary HTTP request to a service provider for a resource". So I thought it was reasonable to request my application page instead of the literal "/secure/". What did I miss?
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users