Case sensitivity of URL scheme in IdPv3 (Ellucian WebAdvisor)

Brent Putman putmanb at georgetown.edu
Thu Dec 17 16:48:16 EST 2015 


On 12/17/15 3:35 PM, Rich Graves wrote:
> If I use upper case HTTPS://, the IdP chokes here:
>
> 2015-12-17 13:45:29,280 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:411] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location HTTPS://hub-dev.its.carleton.edu:443/WebAdvisor/WebAdvisor using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> org.opensaml.messaging.handler.MessageHandlerException: Relying party endpoint used the untrusted URL scheme HTTPS

Yeah, this is arguably a bug.  We should probably be performing the
scheme eval in a case-insensitive manner.  Please open a bug against
OpenSAML 3 for that (OSJ).

> (How) can I define "HTTPS" as a trusted URL scheme? Other approaches?


The trusted schemes are actually configurable, although in looking at it
now, it's not terribly convenient vis-a-vis Spring. I.e. there's not a
simple bean on which one can just set properties.  Need to invoke a
static method on a class.

As a workaround for now, try adding something like this to your
conf/global.xml.  Essentially it's just adding in "HTTPS" to the
otherwise defaults of "http" and "https".

    <bean
class="org.springframework.beans.factory.config.MethodInvokingBean"
depends-on="shibboleth.OpenSAMLConfig">
        <property name="targetClass"
value="org.opensaml.saml.config.SAMLConfigurationSupport"/>
        <property name="targetMethod" value="setAllowedBindingURLSchemes"/>
        <property name="arguments">
            <list>
                <util:list>
                    <value>http</value>
                    <value>https</value>
                    <value>HTTPS</value>
                </util:list>
            </list>
        </property>
    </bean>


I'm not 100% sure about the 'arguments' property value, and can't easily
test at the moment.  If someone else happens to know or see a mistake
please speak up.  The MethodInvokingFactoryBean setArguments takes an
Object[].  The actual invoked OpenSAML method needs to take a
List<String>.  So I think something like specifying a <list> value for
the former with a single <util:list> bean member value should work.  But
may need a little tweaking.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151217/aa613bb4/attachment-0001.html>

More information about the users mailing list