Shibboleth Developers

[Ian Young <>]

I noticed the behaviour I'm about to describe some time ago, but it has 
persisted in a new installation of 1.3 and so I'm documenting it in the 
hope that someone might have a clue as to what is going on and put me 
out of my misery.

I have a test SP (now running 1.3, but this was true in 1.2 as well) 
where the idea was to test all sorts of things.  As a result, it is 
accessable from both http and https as follows:

<RequestMap applicationId="default">
  <Host name="target.iay.org.uk" port="8446" scheme="https">
    <Path name="secure" requireSession="true" exportAssertion="true" />
  </Host>
  <Host name="target.iay.org.uk" scheme="http">
    <Path name="secure" requireSession="true" exportAssertion="true" />
  </Host>
</RequestMap>

Now, if I use Firefox, both of these are equivalent: accessing through 
either http://target.iay.org.uk/ or https://target.iay.org.uk:8446/ the 
CGI script I use for testing reports that HTTP_SHIB_ATTRIBUTES has been 
populated with some Base64 which it proceeds to show me for diagnostic 
purposes (and decode to the XML for the soporific effects).

Switching to Internet Explorer, the same thing happens with the https 
route.  However, if I go through the http route, I get the script 
executed with (apparently) all the appropriate attribute headers 
populated *except* for HTTP_SHIB_ATTRIBUTES.

Then, for the ultimate in weirdness, if I hit F5 to re-fetch the page, 
the script behaves as it did for me in Firefox and the 
HTTP_SHIB_ATTRIBUTES contents appear.  Contents of things like targeted 
ID and cookies are identical, so this is not a new session.  The only 
other thing I'd note is that this happens just after one of those "is it 
OK to continue" messages that IE gives you when you redirect from https 
to http (the assertion consumer is forced to be https irrespective of 
the scheme used for the content).  I don't see why that would be 
relevant, though.

The other difference between the first version of the page and the 
second is that although the address bar in both shows the http URL, the 
first page's SERVER_PORT is 8446 (same as the assertion consumer URL) 
and HTTP_HOST is likewise target.iay.org.uk:8446.  The refresh makes 
these 80 and target.iay.org.uk, which is what you get using Firefox.

Anyone have any ideas as to why this baffling behaviour is happening? 
It isn't terribly important in practice, but obviously anything 
unexplained is suspect in this game.

        -- Ian the bemused