http https redirect returns 400
Peter Schober
peter.schober at univie.ac.at
Fri Oct 25 10:31:29 EDT 2019
* Dr. Marco Lechner <mlechner at bfs.de> [2019-10-25 15:20]:
> I do have a permanent redirect configured to force https using
>
> <VirtualHost *:80>
> ServerAdmin webmaster at myserver.com
> DocumentRoot /var/www/html
> ServerName myserver.com
> #SSL-Redirect
> Redirect permanent / https://www.example.com/
> </VirtualHost>
>
> When trying to request
>
> https://www.example.com/start/ works without problems and redirects to
> the IdP Login Page, but
>
> http://www.example.com/start returns a 400 with "Single Sign-on - Stale
> Request" from the IdP:
If your SP returns with anything other than a redirect at
http://www.example.com/start then it can only be the webserver
configuration at fault. Maybe you're loading your shib settings
(including active protection) in a config snippet that gets included
globally, not only within the TLS-enabled vhost?
You could set handlerSSL="false" in your SP's Sessions element to
force the SP to error out when spoken to over plain HTTP. At least
this shortcuts the error from the IDP as it would never reach the
IDP. It will not by itself fix the webserver problem, though.
-peter
More information about the users
mailing list