change of response URL

Peter Schober peter.schober at
Fri Nov 23 00:45:28 EST 2018

* Rohit Shinde <rohit at> [2018-11-23 03:09]:
> Do I need to update?

Only if you want security from your security software.

See 2.5.3 in the list of known vulnerabilities:

> How to update it?

Since you're trying to use Nginx: According to the documentation
you'd start by rebuilding the Shibboleth SP software with enabled
FastCGI support. Then you'd follow the instructions on Github.

But why go through all that pain at all? If you are on a supported
platform -- what OS and distribution and version are you running all
this on? -- I would suggest to drop Nginx and replace it with Apache
Apache httpd (using the event MPM) can proxy to your Puma webserver
just equally easily, as well as serve up static files. And Puma does
request buffering for slow clients itself (AFAIK) so you don't need
Nginx for that either.

> No, I dont see them in header. I just see shib_session in cookies.

If you're still hell-bent on going through with Nginx I (again)
suggest to open an issue on the nginx-shib Github.
The fact that (you say) you're using their configuration example
verbatim and that (you say) the SP still doesn't actively protect
content is another error you should mention there.

But replacing Nginx with Apache httpd would be so much easier.

Or maybe forget about Shibboleth if that's all too comlicated, esp if
you got some Ruby SAML implementation working anyway.


More information about the users mailing list