IDP Requesting client Certificate

Peter Schober peter.schober at
Tue May 20 10:20:29 EDT 2014

* Kobi Seviliya <kobi at> [2014-05-20 16:09]:
> Jetty is listening on port 8443 and i use ipchaines to redirect port 443 to
> 8443 ...
> am i missing something here ?

That's OK (and makes sense IF you have the JVM/Jetty running as
unprivileged user) but you can't apply the Shib docs without takeing
that into account, i.e. in case you did add the DTA code which the
docs mention for SOAP support on (the publicly visible) port 8443
you'll need to undo that.
If you need SOAP support at all you'd need to define a seperate port
for that.  8443 is used in the documentation examples, so that could
be the externally visible port, which you can forward to whatever
local port via your packet filter. Though I'd note that this has a
certain potential for confusion, having fqdn:443 rewritten to
localhost:8443 and fqdn:8443 to localhost:(whatever).

You should only add the DTA extension to a seperate port, not on the
port subjects point their browsers to during authentication.

More information about the users mailing list