SP - Trying to test copy of server - should this work?
Michael White
michael.white at stir.ac.uk
Tue May 3 10:59:38 EDT 2016
Michael White wrote:
> > I would then be able to test shibboleth authentication on
> > "rms-new" just by setting the host file on my laptop to resolve "rms"
> > and "rms-new" to the IP Address of "rms-new"
> > However, when I try this, it doesn't work, and I'm not sure whether it
> > actually should/could/might or not?
Peter Shober replied:
> Yes, that approach works well with SAML2, both for IDPs and SPs.
Many thanks Peter (and Scott) for confirming this - armed with the knowledge that this should work, I shall persevere :-)
> You're just accessing the server via http by mistake, and
> that server (a) does not forward you to https, and (b) the SAML Metadata
> describing that SP only has https endpoints.
. . . and thanks both for spotting this (I can't believe I didn't notice it!) - I now have an avenue for further investigation and will hopefully be able to move forwards, so thanks again! :-)
Cheers,
Mike
Michael White
eLearning Developer
Information Services
T: (01786) 466877
E: michael.white at stir.ac.uk
A: S8, Library, University of Stirling, Stirling, FK9 4LA
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter
> Schober
> Sent: 03 May 2016 15:43
> To: users at shibboleth.net
> Subject: Re: SP - Trying to test copy of server - should this work?
>
> * Michael White <michael.white at stir.ac.uk> [2016-05-03 16:34]:
> > As everything here is SAML 2 (i.e. no back channel stuff), I had hoped
> > that I would then be able to test shibboleth authentication on
> > "rms-new" just by setting the host file on my laptop to resolve "rms"
> > and "rms-new" to the IP Address of "rms-new" - in my head I thought I
> > would then be able to go to "rms" on my laptop and behind the scenes
> > it would actually be talking to "rms-new" (which is the
> > case) and I hoped/presumed that our (shib) IdP would be OK with this
> > as, as far as it was concerned, it would be authenticating for the
> > existing "rms" system's SP . . . (?)
>
> Yes, that approach works well with SAML2, both for IDPs and SPs.
> The SP (here) would need to be configured identical to the real one (i.e.,
> don't change anything), except that it runs on a different IP address.
> Any machine using a modified hosts file would therefore end up on the
> cloned system but accessing it using the old/original/real host name.
> For your web browser, the SP's web server and SAML implementation as well
> as for your SAML IDP there is no difference from the real server.
>
> > However, when I try this, it doesn't work, and I'm not sure whether it
> > actually should/could/might or not?
>
> It should and it does. You're just accessing the server via http by mistake, and
> that server (a) does not forward you to https, and (b) the SAML Metadata
> describing that SP only has https endpoints.
>
> Arguably that's a server misconfiguration, i.e., allowing access to the service
> so that the service will generate SAML messages with incorrect self-
> referencing URLs in them.
> To fix that make sure all URLs are rewritten to https before starting any SAML
> flows.
> -peter
> --
> To unsubscribe from this list send an email to users-
> unsubscribe at shibboleth.net
--
The University achieved an overall 5 stars in the QS World University Rankings 2015
The University of Stirling is a charity registered in Scotland,
number SC 011159.
More information about the users
mailing list