Best way to protect ECP endpoints
kwessel at illinois.edu
Tue Mar 27 17:20:15 EDT 2018
Sorry, I misspoke on the prompting. Our ECP script knows that it will need to supply the username and password headers, and it does so without being prompted. I imagine any good ECP implementation already does that.
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, March 27, 2018 4:17 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Best way to protect ECP endpoints
On 3/27/18, 5:14 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> Alright, I feel quite stupid! I never tried just commenting out the Apache Location block for the ECP endpoint and hitting > it to see what happens. Works like a charm: prompts for authentication,
It won't prompt, that is an inherent limitation of this approach. It will consume a Basic-Auth header (or in theory any HTTP authentication) but it won't challenge for one. I couldn't come up with a way to do it within the webflow.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users