Enabling ECP in SP 2.4.3
tmitchel at bbn.com
Sat Sep 10 13:25:47 BST 2011
I can't repeat what I thought I was seeing on the paths ("/secure/" vs. "/secure/env.php"). They both clearly work now.
Thanks again, I appreciate the help,
On Sep 10, 2011, at 7:36 AM, Chad La Joie wrote:
> A user-agent can make a request to any resource but part of configuring the SP is indicating which resources you want protected. The example configurations (and examples in the docs) protected the path '/secure'. But that's only an example. You could protect the whole site, just the login page, '/content' but not '/content/images' and '/content/css,'; whatever makes sense for your use case. I don't recall you saying which web server you're using so I can't tell you where exactly to look, but a good place to start in the documentation would be here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMap
> Chad La Joie
> trusted identities, delivered
> On Sep 10, 2011, at 7:24 AM, Tom Mitchell wrote:
>> On Sep 9, 2011, at 8:31 PM, Cantor, Scott wrote:
>>> On 9/9/11 8:16 PM, "Tom Mitchell" <tmitchel at bbn.com> wrote:
>>>> Finally, I see the open bug (SSPCPP-371) with what amounts to the same
>>>> information. I tried the additional suggestion by Scott Cantor (adding
>>>> ECP="true") to the SSO tag and that doesn't seem to work.
>>> Also does.
>> You're right, it does.
>>>> I am using two methods to test: the sample bash ECP client script
>>>> (ecp.sh) on the Contributions wiki page, and manual testing using curl
>>>> (based on ecp.sh and a cursory read of the relevant portion of the spec).
>>>> What I see instead of an ECP-like response from my SP is the HTML
>>>> redirecting to my discovery service.
>>>> Any suggestions? Tips? Pointers?
>>> Well, you're not sending the right HTTP headers, basically. If they're
>>> sent, it will work.
>> Actually, I think I was sending the right headers (Accept and PAOS), copied right out of the spec. But I was fetching the wrong URL. The example in the spec (Sec. 220.127.116.11) shows a fetch of "/secure/". I was trying to fetch an application page ("/secure/env.php"). Switching to "/secure/" allowed both my manual test and the ecp.sh script to work.
>> Maybe I'm just not good at reading specs, but section 2.3.1 says "the client makes an arbitrary HTTP request to a service provider for a resource". So I thought it was reasonable to request my application page instead of the literal "/secure/". What did I miss?
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users