Is it okay to NOT run with Artifact resolution and 8443
Cantor, Scott
cantor.2 at osu.edu
Fri Sep 7 13:40:29 EDT 2012
On 9/7/12 1:26 PM, "Brad Hannah" <hannahb at queensu.ca> wrote:
>I am deploying a new IDP and would like to only enable the required
>protocols. I am not clustering on my application server (Tomcat) and as
>such would prefer not to use Artifact resolution. As I understand it, if
>I don't use Artifact then I don't need
> to host on port 8443. Is this correct?
Any SP->IdP communication with SOAP is over that port. Artifact and
attribute queries are the existing profiles that use it, and various
extensions can use it.
>Is it unreasonable to disable this?
If you need a profile that requires it, you need it, otherwise you don't.
You can always leave it enabled and simply firewall the port too.
> Is it unreasonable to disable SAML1x as well?
Well, if you block queries, chances are you're not using SAML 1 either, at
least in a default way.
> I understand I may have a future service that only supports SAML1x, but
>hypothetically if I wanted to, would I only have to edit my
>idp-metadata.xml and remove any mentions
> of artifacts and SAML1?
More or less. There are other beans that handle artifact processing, but
it's not worth messing with internal files to turn them off.
-- Scott
More information about the users
mailing list