IDP Sending Users to Unsecure HTTP Connection

[Peter Schober]

* David E. Newswanger <David_Newswanger at berea.edu> [2015-12-21 19:30]:
> I recently installed a new service provider. When people go to login
> via HTTPS, the identity provider authenticates them and then
> redirects them using HTTP to the home page and they get a security
> warning saying "The information you have entered on this page will
> be sent over an insecure connection and could be read by a third
> party." How do I configure my SP or IdP to redirect authenticated
> users using HTTPS?

Easiest is to run the SP only on HTTPS.  That also has other benefits,
esp protecting HTTP Cookies for access to the application.
If that's not an option at least to only use HTTPS in the part of the
web site where authentication is initiated, if there's something like
that.
Don't ever provide plain HTTP endpoints in SAML Metadata about your
SP (unless you're part of a very contrained environment and can rely
on only the Artifact binding).
-peter