Shibboleth IDP 4 on Ubuntu 18.04 with Jetty 10 => Stale Request and Access Denied!!!

Peter Schober peter.schober at
Wed Dec 22 10:18:42 UTC 2021

* Nate Klingenstein <ndk at> [2021-12-22 00:15]:
> You'll need to set things up over HTTPS, as Scott said, due to the
> Secure flag in the cookie.

For an artificial/meaningless test (such as accessing an IDP directly
via its IPv4 address and without TLS) the OP might as well disable the
secure flag on the IDP's own cookies (and handle the servlet container
cookies as needed).

> > Where do I configure admin rights?

With a product of this complexity there's no replacement for reading
the documentation and learning how to read the documentation.

Start at the doc home for IDP4:
Entering "hello" in the search input field at the top right offers
as the first result, open that page. The third section "Configuration"
there has a description. As shipped conf/access-control.xml comes with
3 policies (AccessByIPAddress, AccessByAdminUser, AccessByAttribute)
which should get you startred.

Besides the search feature you could also discover the relevant info
youself, e.g. I got there this way:

>From the the doc home for IDP4 follow the link "Web Interfaces" (since
you're asking about access to the helloworld web interfaces):
"All of these services are implemented as administrative webflows" --
follow the link "administrative":
Scrolling down a bit you see "Hello World" at the end:


More information about the users mailing list