Case sensitivity of URL scheme in IdPv3 (Ellucian WebAdvisor)

Brent Putman putmanb at
Thu Dec 17 16:48:16 EST 2015

On 12/17/15 3:35 PM, Rich Graves wrote:
> If I use upper case HTTPS://, the IdP chokes here:
> 2015-12-17 13:45:29,280 - DEBUG [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:411] - Profile Action PopulateBindingAndEndpointContexts: Resolved endpoint at location HTTPS:// using binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> org.opensaml.messaging.handler.MessageHandlerException: Relying party endpoint used the untrusted URL scheme HTTPS

Yeah, this is arguably a bug.  We should probably be performing the
scheme eval in a case-insensitive manner.  Please open a bug against
OpenSAML 3 for that (OSJ).

> (How) can I define "HTTPS" as a trusted URL scheme? Other approaches?

The trusted schemes are actually configurable, although in looking at it
now, it's not terribly convenient vis-a-vis Spring. I.e. there's not a
simple bean on which one can just set properties.  Need to invoke a
static method on a class.

As a workaround for now, try adding something like this to your
conf/global.xml.  Essentially it's just adding in "HTTPS" to the
otherwise defaults of "http" and "https".

        <property name="targetClass"
        <property name="targetMethod" value="setAllowedBindingURLSchemes"/>
        <property name="arguments">

I'm not 100% sure about the 'arguments' property value, and can't easily
test at the moment.  If someone else happens to know or see a mistake
please speak up.  The MethodInvokingFactoryBean setArguments takes an
Object[].  The actual invoked OpenSAML method needs to take a
List<String>.  So I think something like specifying a <list> value for
the former with a single <util:list> bean member value should work.  But
may need a little tweaking.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list