Case sensitivity of URL scheme in IdPv3 (Ellucian WebAdvisor)
putmanb at georgetown.edu
Thu Dec 17 16:48:16 EST 2015
On 12/17/15 3:35 PM, Rich Graves wrote:
> If I use upper case HTTPS://, the IdP chokes here:
> 2015-12-17 13:45:29,280 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:411] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location HTTPS://hub-dev.its.carleton.edu:443/WebAdvisor/WebAdvisor using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> org.opensaml.messaging.handler.MessageHandlerException: Relying party endpoint used the untrusted URL scheme HTTPS
Yeah, this is arguably a bug. We should probably be performing the
scheme eval in a case-insensitive manner. Please open a bug against
OpenSAML 3 for that (OSJ).
> (How) can I define "HTTPS" as a trusted URL scheme? Other approaches?
The trusted schemes are actually configurable, although in looking at it
now, it's not terribly convenient vis-a-vis Spring. I.e. there's not a
simple bean on which one can just set properties. Need to invoke a
static method on a class.
As a workaround for now, try adding something like this to your
conf/global.xml. Essentially it's just adding in "HTTPS" to the
otherwise defaults of "http" and "https".
<property name="targetMethod" value="setAllowedBindingURLSchemes"/>
I'm not 100% sure about the 'arguments' property value, and can't easily
test at the moment. If someone else happens to know or see a mistake
please speak up. The MethodInvokingFactoryBean setArguments takes an
Object. The actual invoked OpenSAML method needs to take a
List<String>. So I think something like specifying a <list> value for
the former with a single <util:list> bean member value should work. But
may need a little tweaking.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users