http https redirect returns 400
Dr. Marco Lechner
mlechner at bfs.de
Fri Oct 25 11:54:57 EDT 2019
Hi Peter,
thnx. As you guessed, it was as webserver configuration fault. Our shib
settings (including active protection) loaded in a config snippet that
gets included
globally, not only within the TLS-enabled vhost.
Fixed. Works. Great.
Marco
Am 25.10.2019 um 16:31 schrieb Peter Schober:
> * Dr. Marco Lechner <mlechner at bfs.de> [2019-10-25 15:20]:
>> I do have a permanent redirect configured to force https using
>>
>> <VirtualHost *:80>
>> ServerAdmin webmaster at myserver.com
>> DocumentRoot /var/www/html
>> ServerName myserver.com
>> #SSL-Redirect
>> Redirect permanent / https://www.example.com/
>> </VirtualHost>
>>
>> When trying to request
>>
>> https://www.example.com/start/ works without problems and redirects to
>> the IdP Login Page, but
>>
>> http://www.example.com/start returns a 400 with "Single Sign-on - Stale
>> Request" from the IdP:
> If your SP returns with anything other than a redirect at
> http://www.example.com/start then it can only be the webserver
> configuration at fault. Maybe you're loading your shib settings
> (including active protection) in a config snippet that gets included
> globally, not only within the TLS-enabled vhost?
>
> You could set handlerSSL="false" in your SP's Sessions element to
> force the SP to error out when spoken to over plain HTTP. At least
> this shortcuts the error from the IDP as it would never reach the
> IDP. It will not by itself fix the webserver problem, though.
>
> -peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xCD250CA0D733400E.asc
Type: application/pgp-keys
Size: 3303 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20191025/9e974736/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5368 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20191025/9e974736/attachment.p7s>
More information about the users
mailing list