Web Login Service - Message Security Error
Peter Schober
peter.schober at univie.ac.at
Fri Feb 14 12:57:08 EST 2020
* liquid89 <p.nem at pnem.at> [2020-02-14 14:28]:
> We have a Portal-URL that shows on servername:8443
> https://portal.test.de --> *http://*servername:8443
So what's the correct public URL of your IDP server?
https://portal.test.de or http://servername:8443 ?
The metadata describing the IDP must match exactly what the web
browser sees, including exact host name and port.
Ignoring the backchannel your IDP should probably listen on the
standard HTTPS port TCP/443. Then there'd be no port numbers in
metadata or configuration anywhere.
If Tomcat listens on a different physical port on your machine
(e.g. 8443) you could use one of the tricks mentioned in the
documentation, though personally I prefer POSIX Capabilities to simply
allow unpriviledged users (i.e., the one the JVM and Tomcat run as) to
listen on priviledged ports (i.e., 443). Modern systemd can do that
out of the box (I'd have to check whether CentOS7 comes with a
sufficiently new systemd).
> With an old Tomcat and Shibboleth it works without problems...
Oh, Tomcat 7 is old.
Note that if you're installing a new IDP now (otherwise you probably
wouldn't be experiencing such fundamental errors) you should consider
starting with IDPv4 -- it may well be done while you're struggling
with installation and configuration and productionalisation.
Even if you're not going with IDPv4 right now you will need to plan
your upgrade to v4 soon after its release and IDPv4 *does* *not*
*support* Tomcat7 anymore!
https://wiki.shibboleth.net/confluence/display/IDP4/SystemRequirements
So you should be looking at a newer OS or newer container right away,
IMO.
-peter
More information about the users
mailing list