#127 mellon metadata retrevial has different values depending on whether http or https is used in the meatadata url
Closed: Fixed None Opened 8 years ago by jdennis.

The SP metadata can by retrieved by doing a GET on the SP metadata URL which is:

$SP/$MellonEndpointPath/metadata

where

SP = the FQDN of the SP

MellonEndpointPath = the value of the MellonEndpointPath configuration item (defaults to 'mellon' but is set to 'saml2' by the ipsilon client.

The problem is the function am_generate_metadata() in auth_mellon_handler.c uses the request URL to get the scheme and host (calls ap_construct_url()). The $SP/$MellonEndpointPath/metadata URL can be invoked with either HTTP or HTTPS as the scheme. Thus if you use http://$SP/$MellonEndpointPath/metadata to get the SP's metadata it will not have the correct binding endpoints in the metadata because they will use http instead of https as is required by SAML, this causes various metadata failures.

We need to either document this problem, make sure the ipsilon client always does the right thing or get an upstream fix.


Fields changed

milestone: => 1.1

This was fixed as a side-effect of 42700be which requires SSL on SP when using --saml-secure-setup.

resolution: => fixed
rhbz: =>
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @nkinder:
- Issue set to the milestone: 1.1

7 years ago

Login to comment on this ticket.

Metadata