IDP Sending Users to Unsecure HTTP Connection
cantor.2 at osu.edu
Mon Dec 21 13:36:26 EST 2015
On 12/21/15, 1:29 PM, "users on behalf of David E. Newswanger" <users-bounces at shibboleth.net on behalf of David_Newswanger at berea.edu> wrote:
>I recently installed a new service provider. When people go to login via HTTPS, the identity provider authenticates them and then redirects them using HTTP to the home page and they get a security warning saying "The information you have entered on this
> page will be sent over an insecure connection and could be read by a third party." How do I configure my SP or IdP to redirect authenticated users using HTTPS?
If you don't want http, don't support it, and implement the necessary redirects, that's nothing to do with Shibboleth.
If you must rely on the SP, which happens in certain cases when the web server is a piece of garbage (e.g., IIS), there's a redirectToSSL option in the RequestMap that can handle some of the redirect work.
More information about the users