TestShib.org: Issue with some URLs specified in the metadata.

Corey Puffalt cplists at gmail.com
Thu Oct 22 12:30:36 EDT 2015


Nate,

On Thu, Oct 22, 2015 at 10:04 AM, Nate Klingenstein <ndk at internet2.edu>
wrote:

> Corey,
>
> I was just trying to use testshib.org to test an OpenAM SP setup and one
> thing I ran into is that some of the endpoint URLs in the
> testshib-providers.xml metadata file are referencing endpoints that have a
> self-signed SSL certificate for some reason.  The problematic URLs are all
> referencing port 8443 instead of the standard 443 port for SSL.
>
>
> Shibboleth has historically treated back-channel queries as separate
> services that use separate certificates to avoid the rollover issues that
> would be incurred by the use of shorter-lived certificates  I’m personally
> fine with revisiting this, and my dogma indicates my preference to use a
> single port and certificate for all of this.
>
> https://wiki.shibboleth.net/confluence/display/CONCEPT/TrustManagement
>
>
Thanks a lot for your explanation on the separate port for back-channel
queries.  I took a quick read through the link you provided but have to
confess it didn't help me understand what you meant.  Some googling turned
up:

https://spaces.internet2.edu/display/InCFederation/Back-channel+SAML+Protocols

which helped me understand why a separate self-signed certificate is being
used for the back-channel endpoints.

For testing purposes I hacked the metadata and simply changed the endpoints
referencing 8443 to 443. Should this work?  (I know it's not advisable in a
production system, but I'm just trying to validate a basic SP
configuration).  I'm now seeing errors saying "Inbound message issuer was
not authenticated." but I'm not sure if this is because I changed the port
or if there's some other issue related to my SP configuration causing the
issue.

Regards,
Corey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151022/a1111d88/attachment-0001.html>


More information about the users mailing list