I was wondering if anyone else has noticed this possible issue that I describe below. I set up my testing SP with an embedded DS about a year ago, but I configured it pretty by-the-book from what I remember.
When I look at the network activity in my browser, I notice that after select an IdP from the /shibboleth-ds page it proceeds to set the “_saml_idp” cookie as described in both the IdP Discovery spec and the SAML v2.0 spec. In the latter
spec, it is mentioned that the “The cookie MUST be marked as secure”. But according to the browser the Secure parameter is not set. I should note that when testing a different SP that uses the Discovery Service living on our *IdP*, the IdP DS is in
fact setting “_saml_idp” as secure.
Is this something I am just doing wrong in my configuration of the SP’s embedded DS? Is this even a problem or am I misunderstanding the use of that cookie?
As an aside, just before sending this email I also noticed that the “shib_idp_session” cookie from the IdP is also not being set as secure.
Nathan Lee |Systems Infrastructure Administrator
Systems Engineering | Division of Information Technology