TestShib.org: Issue with some URLs specified in the metadata.
Corey Puffalt
cplists at gmail.com
Thu Oct 22 12:30:36 EDT 2015
Nate,
On Thu, Oct 22, 2015 at 10:04 AM, Nate Klingenstein <ndk at internet2.edu>
wrote:
> Corey,
>
> I was just trying to use testshib.org to test an OpenAM SP setup and one
> thing I ran into is that some of the endpoint URLs in the
> testshib-providers.xml metadata file are referencing endpoints that have a
> self-signed SSL certificate for some reason. The problematic URLs are all
> referencing port 8443 instead of the standard 443 port for SSL.
>
>
> Shibboleth has historically treated back-channel queries as separate
> services that use separate certificates to avoid the rollover issues that
> would be incurred by the use of shorter-lived certificates I’m personally
> fine with revisiting this, and my dogma indicates my preference to use a
> single port and certificate for all of this.
>
> https://wiki.shibboleth.net/confluence/display/CONCEPT/TrustManagement
>
>
Thanks a lot for your explanation on the separate port for back-channel
queries. I took a quick read through the link you provided but have to
confess it didn't help me understand what you meant. Some googling turned
up:
https://spaces.internet2.edu/display/InCFederation/Back-channel+SAML+Protocols
which helped me understand why a separate self-signed certificate is being
used for the back-channel endpoints.
For testing purposes I hacked the metadata and simply changed the endpoints
referencing 8443 to 443. Should this work? (I know it's not advisable in a
production system, but I'm just trying to validate a basic SP
configuration). I'm now seeing errors saying "Inbound message issuer was
not authenticated." but I'm not sure if this is because I changed the port
or if there's some other issue related to my SP configuration causing the
issue.
Regards,
Corey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151022/a1111d88/attachment-0001.html>
More information about the users
mailing list