SP - Trying to test copy of server - should this work?

Peter Schober peter.schober at univie.ac.at
Tue May 3 10:42:53 EDT 2016

* Michael White <michael.white at stir.ac.uk> [2016-05-03 16:34]:
> As everything here is SAML 2 (i.e. no back channel stuff), I had
> hoped that I would then be able to test shibboleth authentication on
> "rms-new" just by setting the host file on my laptop to resolve
> "rms" and "rms-new" to the IP Address of "rms-new" - in my head I
> thought I would then be able to go to "rms" on my laptop and behind
> the scenes it would actually be talking to "rms-new" (which is the
> case) and I hoped/presumed that our (shib) IdP would be OK with this
> as, as far as it was concerned, it would be authenticating for the
> existing "rms" system's SP . . . (?)

Yes, that approach works well with SAML2, both for IDPs and SPs.
The SP (here) would need to be configured identical to the real one
(i.e., don't change anything), except that it runs on a different IP
Any machine using a modified hosts file would therefore end up on the
cloned system but accessing it using the old/original/real host name.
For your web browser, the SP's web server and SAML implementation as
well as for your SAML IDP there is no difference from the real server.

> However, when I try this, it doesn't work, and I'm not sure whether
> it actually should/could/might or not?

It should and it does. You're just accessing the server via http by
mistake, and that server (a) does not forward you to https, and (b)
the SAML Metadata describing that SP only has https endpoints.

Arguably that's a server misconfiguration, i.e., allowing access to
the service so that the service will generate SAML messages with
incorrect self-referencing URLs in them.
To fix that make sure all URLs are rewritten to https before starting
any SAML flows.

More information about the users mailing list