ECP + Duo + Docker Enterprise = timeouts

Brent Putman putmanb at
Wed Sep 11 18:04:19 EDT 2019

On 9/11/19 1:42 PM, Cantor, Scott wrote:
> On 9/11/19, 1:37 PM, "users on behalf of Bickel, David" <users-bounces at on behalf of jdbickel at> wrote:
>>  I did have to setup traffic to get InCommon metadata using proxyHost & proxyPort.  I am not seeing a way to do
>> something similar for the Duo NonBrowser configuration.  Am I missing something obvious in the documentation?
> s/TLS example/applying proxy settings
> I have no idea what the wiring is to configure proxying outbound from the HttpClient code, but if it's possible that's the way.

Yep, the base HttpClient builder supports various proxy properties.
Those same properties are what gets used by the metadata providers via
the custom XML schema and parsers.

For custom HttpClient bean wiring, the full docs for the builder are
here, with all the possible properties:

Namely the proxy related ones are:


So you can set any of those on the
shibboleth.authn.Duo.NonBrowser.HttpClient bean in duo-authn-config.xml
as illustrated in the wiki, e.g 
p:connectionProxyHost="". Full example:

|<||bean| |id||=||"shibboleth.authn.Duo.NonBrowser.HttpClient"|
|        ||parent||=||"shibboleth.NonCachingHttpClient"|
|        ||p:connectionProxyHost=""
p:connectionProxyPort="1234" />|

Only caveat is that we've never really tested HTTP proxy usage much. 
But if it's working for your InCommon metadata provider, then I believe
it should work here, b/c it's exactly the same HttpClient code.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list