The SP metadata can by retrieved by doing a GET on the SP metadata URL which is:
$SP/$MellonEndpointPath/metadata
where
SP = the FQDN of the SP
MellonEndpointPath = the value of the MellonEndpointPath configuration item (defaults to 'mellon' but is set to 'saml2' by the ipsilon client.
The problem is the function am_generate_metadata() in auth_mellon_handler.c uses the request URL to get the scheme and host (calls ap_construct_url()). The $SP/$MellonEndpointPath/metadata URL can be invoked with either HTTP or HTTPS as the scheme. Thus if you use http://$SP/$MellonEndpointPath/metadata to get the SP's metadata it will not have the correct binding endpoints in the metadata because they will use http instead of https as is required by SAML, this causes various metadata failures.
We need to either document this problem, make sure the ipsilon client always does the right thing or get an upstream fix.
Fields changed
milestone: => 1.1
This was fixed as a side-effect of 42700be which requires SSL on SP when using --saml-secure-setup.
resolution: => fixed rhbz: => status: new => closed
rhbz: => 0
Metadata Update from @nkinder: - Issue set to the milestone: 1.1
Login to comment on this ticket.