Shibboleth Developers

["Scott Cantor" <>]

> case: IIS, redirectToSSL is set in a host element of the
> RequestMapProvider Now every request for that host gets redirected to SSL,

> Shibboleth auth or not. That doesn't feel right.

The point was to block access to the port because IIS won't do it for me,
and that's it. I'm not trying to rebuild a web server here.

Heck, it's still not even clear to me what this is useful for. It's a little
more annoying than it should be, but it's not that hard to get IIS to handle
all of this, you just add sslport="443" and scheme="https" to the Host and
then you can passthrough port 80 and let IIS trigger its own error template
for this problem.

Maybe the real problem is Apache makes this harder than it should be.

> it seems to me that it might be interesting to move the code 
> for redirection ("If not SSL, check to see if we should block or redirect 
> it.") later in the process so it runs right before "clearHeaders".
> I think this would make the redirect option only respond when 
> authType="Shibboleth". That feels very clean to me.

You can do that now, just don't put the redirect on the host, put it on the
content you want to block. With your solution, you *can't* use the command
except where authType is set, but mine is independent of authType.

-- Scott