homeURL scheme overrides actual scheme used to invoke SessionInitiator with no target

Description

If you access the SP self-generated metadata via an HTTP connection all the endpoint locations have the 'http' scheme. If you access the metadata via HTTPS they have the 'https' schema. However, regardless of how you access a session initiator the generated ACS URL is always generated as 'https'.

This came up In my test environment where I just have my IdP loading my SPs metadata from the self-gen URL. After fixing https://shibboleth.atlassian.net/browse/JOST-86#icft=JOST-86 the IdP started rejecting all endpoints since the ACS URL the SP was sending didn't show up in the metadata (because of the scheme differences).

It would be nice if there was consistent behavior here.

Environment

None

Activity

Scott Cantor 
August 10, 2009 at 2:23 PM

http://svn.middleware.georgetown.edu/view/cpp-sp?view=rev&revision=3090

homeURL will still drive the process, but default config now omits it and lets the request to the server dictate the target value if homeURL isn't set.

Scott Cantor 
July 1, 2009 at 11:51 AM

This is being caused by a homeURL with https, if no target value is supplied to the SessionInitiator. The code there is pretty historical and may be somewhat redundant with handlerSSL, so I'll leave open until I have time to consider it.

Scott Cantor 
July 1, 2009 at 11:33 AM

I don't know why you would have changed it, but handlerSSL was still "false"? If it was behaving the way you describe without setting that to true, a non-SSL SP wouldn't work. If I broke that, this is a major bug, not a minor one, so I'll run a test myself.

BTW, you can get the generator to spit out both sets of endpoints by setting both http="true" and https="true" in the handler, I believe.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created July 1, 2009 at 3:15 AM
Updated June 22, 2021 at 7:45 PM
Resolved August 10, 2009 at 2:23 PM