IDP Sending Users to Unsecure HTTP Connection

Cantor, Scott cantor.2 at
Mon Dec 21 13:36:26 EST 2015

On 12/21/15, 1:29 PM, "users on behalf of David E. Newswanger" <users-bounces at on behalf of David_Newswanger at> wrote:

>I recently installed a new service provider. When people go to login via HTTPS, the identity provider authenticates them and then redirects them using HTTP to the home page and they get a security warning saying "The information you have entered on this
> page will be sent over an insecure connection and could be read by a third party." How do I configure my SP or IdP to redirect authenticated users using HTTPS?

If you don't want http, don't support it, and implement the necessary redirects, that's nothing to do with Shibboleth.

If you must rely on the SP, which happens in certain cases when the web server is a piece of garbage (e.g., IIS), there's a redirectToSSL option in the RequestMap that can handle some of the redirect work.

-- Scott

More information about the users mailing list