Apache 2.4.7 - mod-shib 2.5.2 - http bindings?
Peter Schober
peter.schober at univie.ac.at
Mon May 30 09:25:31 EDT 2016
* Robert Duncan <Robert.Duncan at ncirl.ie> [2016-05-30 13:30]:
> Can anyone tell why Shibboleth is generating SP metadata with http
> bindings instead of https.
Accessing /Shibboleth.sso/Metadata in a plain http (or misconfigured)
vhost would cause that.
> the vhost configuration - but the below, with https ServerName
> directive always generates http - handleSSL is off in shibboleth
> because the SP will be behind a load balancer.
That looks OK:
> ServerName https://liberty.example.com:5000/
> UseCanonicalName On
so Probably that vhost is never matched by the request you send?
an you confirm from log files?
The simple workaround (that's not a workaround, but probably the
recommended version) is using the provided metagen.sh script
(metagen.bat of MS-Windows) to generate metadata according to your
needs.
But if the metadata generator handler doesn't create correct
self-referencing URLs chances are the other handlers, esp those
responsible for processing incoming SAML protocol messages, won't know
their own location/vhost either. So it's probably best to get the
metadata handler to work, even though you don't need it (when using
metagen.sh).
> <ApplicationDefaults entityID="https://liberty.example.com:5000/">
JFYI, an entityID is a name, and there should be no need to include
port numbers in that name.
-peter
More information about the users
mailing list