Apache 2.4.7 - mod-shib 2.5.2 - http bindings?

Janusz Ulanowski janusz.ulanowski at heanet.ie
Mon May 30 09:40:29 EDT 2016

On 30/05/16 14:25, Peter Schober wrote:
> * Robert Duncan <Robert.Duncan at ncirl.ie> [2016-05-30 13:30]:
>> Can anyone tell why Shibboleth is generating SP metadata with http
>> bindings instead of https.
> Accessing /Shibboleth.sso/Metadata in a plain http (or misconfigured)
> vhost would cause that.
>> the vhost configuration - but the below, with https ServerName
>> directive always generates http - handleSSL is off in shibboleth
>> because the SP will be behind a load balancer.
> That looks OK:

shouldn't be handleSSL  set to true ?

>>    ServerName https://liberty.example.com:5000/
>>    UseCanonicalName On
> so Probably that vhost is never matched by the request you send?
> an you confirm from log files?
> The simple workaround (that's not a workaround, but probably the
> recommended version) is using the provided metagen.sh script
> (metagen.bat of MS-Windows) to generate metadata according to your
> needs.
> But if the metadata generator handler doesn't create correct
> self-referencing URLs chances are the other handlers, esp those
> responsible for processing incoming SAML protocol messages, won't know
> their own location/vhost either. So it's probably best to get the
> metadata handler to work, even though you don't need it (when using
> metagen.sh).
>>      <ApplicationDefaults entityID="https://liberty.example.com:5000/">
> JFYI, an entityID is a name, and there should be no need to include
> port numbers in that name.
> -peter

Janusz Ulanowski
Edugate: http://www.edugate.ie
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301

More information about the users mailing list