Embedded DS not setting secure _idp_saml cookie

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Embedded DS not setting secure _idp_saml cookie

Lee, Nathan W

Afternoon all,

 

I was wondering if anyone else has noticed this possible issue that I describe below. I set up my testing SP with an embedded DS about a year ago, but I configured it pretty by-the-book from what I remember.

 

When I look at the network activity in my browser, I notice that after select an IdP from the /shibboleth-ds page it proceeds to set the “_saml_idp” cookie as described in both the IdP Discovery spec and the SAML v2.0 spec. In the latter spec, it is mentioned that the “The cookie MUST be marked as secure”. But according to the browser the Secure parameter is not set. I should note that when testing a different SP that uses the Discovery Service living on our *IdP*, the IdP DS is in fact setting “_saml_idp” as secure.

 

Is this something I am just doing wrong in my configuration of the SP’s embedded DS? Is this even a problem or am I misunderstanding the use of that cookie?

 

As an aside, just before sending this email I also noticed that the “shib_idp_session” cookie from the IdP is also not being set as secure.

 

Thank you,

 

Nathan Lee | Systems Infrastructure Administrator

Systems Engineering | Division of Information Technology

Texas A&M University

 

0971 TAMU | College Station, TX 77843

ph: 979.862.5761 | [hidden email]

- - - - - - - - - - - - - - - - - - - - - - - - 
IT.tamu.edu

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Embedded DS not setting secure _idp_saml cookie

Cantor, Scott E.
On 1/23/20, 3:23 PM, "users on behalf of Nathan Lee" <[hidden email] on behalf of [hidden email]> wrote:

> Is this something I am just doing wrong in my configuration of the SP’s embedded DS? Is this even a problem or am I
> misunderstanding the use of that cookie?

I don't know what controls it in the EDS but unless you're running on port 80 it doesn't rightly matter, least of all for a cookie that contains an IdP name.
 
> As an aside, just before sending this email I also noticed that the “shib_idp_session” cookie from the IdP is also not
> being set as secure.

That's up to the deployer.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]