#129 Require SSL for SAML2 protected endpoint
Closed: Duplicate None Opened 4 years ago by rcritten.

If you go to http://sp.example.com/protected you'll get properly redirected to the IdP for authentication. After authenticating the redirect to the SP will be redirected back to the IdP and then an infinite loop between the two.

This is due to the secure cookie. The browser doesn't send the cookie to an unsecure site so the SP thinks it needs to authenticate again, but it already is authenticated so back to the SP. Rinse and repeat.

The fix for this is to require SSL on the protected endpoint.

Fields changed

milestone: => 1.1

After looking at this again the requirement is satisfied with the redirect IMHO.

If we put an SSLRequireSSL in there the user could get a 403 Forbidden which isn't very nice.

resolution: => duplicate
rhbz: =>
status: new => closed

Metadata Update from @rcritten:
- Issue set to the milestone: 1.1

2 years ago

Login to comment on this ticket.