Apache 2.4.7 - mod-shib 2.5.2 - http bindings?

Peter Schober peter.schober at univie.ac.at
Mon May 30 09:25:31 EDT 2016

* Robert Duncan <Robert.Duncan at ncirl.ie> [2016-05-30 13:30]:
> Can anyone tell why Shibboleth is generating SP metadata with http
> bindings instead of https.

Accessing /Shibboleth.sso/Metadata in a plain http (or misconfigured)
vhost would cause that.

> the vhost configuration - but the below, with https ServerName
> directive always generates http - handleSSL is off in shibboleth
> because the SP will be behind a load balancer.

That looks OK:

>   ServerName https://liberty.example.com:5000/
>   UseCanonicalName On

so Probably that vhost is never matched by the request you send?
an you confirm from log files?

The simple workaround (that's not a workaround, but probably the
recommended version) is using the provided metagen.sh script
(metagen.bat of MS-Windows) to generate metadata according to your

But if the metadata generator handler doesn't create correct
self-referencing URLs chances are the other handlers, esp those
responsible for processing incoming SAML protocol messages, won't know
their own location/vhost either. So it's probably best to get the
metadata handler to work, even though you don't need it (when using

>     <ApplicationDefaults entityID="https://liberty.example.com:5000/">

JFYI, an entityID is a name, and there should be no need to include
port numbers in that name.

More information about the users mailing list