homeURL scheme overrides actual scheme used to invoke SessionInitiator with no target
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
If you access the SP self-generated metadata via an HTTP connection all the endpoint locations have the 'http' scheme. If you access the metadata via HTTPS they have the 'https' schema. However, regardless of how you access a session initiator the generated ACS URL is always generated as 'https'.
This came up In my test environment where I just have my IdP loading my SPs metadata from the self-gen URL. After fixing https://shibboleth.atlassian.net/browse/JOST-86#icft=JOST-86 the IdP started rejecting all endpoints since the ACS URL the SP was sending didn't show up in the metadata (because of the scheme differences).
It would be nice if there was consistent behavior here.
homeURL will still drive the process, but default config now omits it and lets the request to the server dictate the target value if homeURL isn't set.
Scott Cantor
July 1, 2009 at 11:51 AM
This is being caused by a homeURL with https, if no target value is supplied to the SessionInitiator. The code there is pretty historical and may be somewhat redundant with handlerSSL, so I'll leave open until I have time to consider it.
Scott Cantor
July 1, 2009 at 11:33 AM
I don't know why you would have changed it, but handlerSSL was still "false"? If it was behaving the way you describe without setting that to true, a non-SSL SP wouldn't work. If I broke that, this is a major bug, not a minor one, so I'll run a test myself.
BTW, you can get the generator to spit out both sets of endpoints by setting both http="true" and https="true" in the handler, I believe.
If you access the SP self-generated metadata via an HTTP connection all the endpoint locations have the 'http' scheme. If you access the metadata via HTTPS they have the 'https' schema. However, regardless of how you access a session initiator the generated ACS URL is always generated as 'https'.
This came up In my test environment where I just have my IdP loading my SPs metadata from the self-gen URL. After fixing https://shibboleth.atlassian.net/browse/JOST-86#icft=JOST-86 the IdP started rejecting all endpoints since the ACS URL the SP was sending didn't show up in the metadata (because of the scheme differences).
It would be nice if there was consistent behavior here.