http https redirect returns 400

Peter Schober peter.schober at
Fri Oct 25 10:31:29 EDT 2019

* Dr. Marco Lechner <mlechner at> [2019-10-25 15:20]:
> I do have a permanent redirect configured to force https using
> <VirtualHost *:80>
>    ServerAdmin webmaster at
>    DocumentRoot /var/www/html
>    ServerName
>    #SSL-Redirect
>    Redirect permanent /
> </VirtualHost>
> When trying to request
> works without problems and redirects to
> the IdP Login Page, but
> returns a 400 with "Single Sign-on - Stale
> Request" from the IdP:

If your SP returns with anything other than a redirect at then it can only be the webserver
configuration at fault. Maybe you're loading your shib settings
(including active protection) in a config snippet that gets included
globally, not only within the TLS-enabled vhost?

You could set handlerSSL="false" in your SP's Sessions element to
force the SP to error out when spoken to over plain HTTP. At least
this shortcuts the error from the IDP as it would never reach the
IDP. It will not by itself fix the webserver problem, though.


More information about the users mailing list