SP 2.5 cookieProps
Peter Schober
peter.schober at univie.ac.at
Wed Aug 8 16:56:07 EDT 2012
* Cantor, Scott <cantor.2 at osu.edu> [2012-08-08 22:18]:
> On 8/8/12 4:02 PM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
> >
> >Also for the Sessions element the rules are explicitly spelled out to
> >work as descibed by the OP:
> >
> > "If present in the override, the default element's attribute content
> > is ignored."
>
> That was me just adding it.
No, but I was looking at and quoting from
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride
not NativeSPSessions (which is what was mentioned before).
> >Regarding one of these new warnings ("handlerSSL should be enabled for
> >SSL/TLS-enabled web sites"): For SPs which need access to the
> >assertion itself this might be slighly annoying when the GetAssertion
> >handler might not be available via https and hence have set
> >handlerSSL="false" even though the site is still https only.
>
> Couldn't the handler still be available over SSL? It's not a given
> that it won't be.
I'm not saying it cannot work. In fact in my case changing
exportLocation to the FQDN and adding the routable IP address to
exportACL made things work with handlerSSL="true". But I'd rather have
that warning in the log than leave the SP set up that way.
Connecting to localhost via https failed because that webserver isn't
currently configured to serve https on the loopback interface (which
could be changed in this case) and even then possibly still might fail
in the application (pkix hostname validation or whatever). Which,
again, could probably be changed.
I actually agree with that new default (the warnings) as, as I said, I
always run with handlerSSL="true" on any other SP and the one
mentioned above is the outlier.
-peter
More information about the users
mailing list