If you go to http://sp.example.com/protected you'll get properly redirected to the IdP for authentication. After authenticating the redirect to the SP will be redirected back to the IdP and then an infinite loop between the two.
This is due to the secure cookie. The browser doesn't send the cookie to an unsecure site so the SP thinks it needs to authenticate again, but it already is authenticated so back to the SP. Rinse and repeat.
The fix for this is to require SSL on the protected endpoint.
milestone: => 1.1
I think this is a duplicate of https://fedorahosted.org/ipsilon/ticket/80
After looking at this again the requirement is satisfied with the redirect IMHO.
If we put an SSLRequireSSL in there the user could get a 403 Forbidden which isn't very nice.
resolution: => duplicate
status: new => closed
Metadata Update from @rcritten:
- Issue set to the milestone: 1.1
to comment on this ticket.