IdP's Advertising Both http and https
Dick Hardt
dick at sxip.com
Wed Nov 8 08:42:52 UTC 2006
On 7-Nov-06, at 12:34 PM, Recordon, David wrote:
> Moving this to the list, I really should have started it there in the
> first place.
>
> --David
>
> -----Original Message-----
> From: Recordon, David
> Sent: Monday, November 06, 2006 2:06 PM
> To: 'Dick Hardt'; Josh Hoyt
> Subject: RE: IdP's Advertising Both http and https
>
> Hey Dick,
> But the security warnings will still exist:
> - RP redirects me to http on IdP
> - IdP redirects me to https on IdP for login page (warning)
no warning on GET redirects
> - I interact with IdP for "trust request" via https
> - I submit HTTPS form
> - IdP redirects me back to RP via http (warning)
not if you do a GET redirect
>
> Am I missing something here?
redirected POSTs produce a warning, redirected GETs do not
>
> I guess I'm not sure what I think we should do, though don't think
> this
> is a simple problem.
We built this out with our SXIP 2.0 code. Worked fine. No warnings.
-- Dick
More information about the specs
mailing list