[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: Juniper ssl vpn strips double slash
From:       Bart Ophelders <Bart.Ophelders () icts ! kuleuven ! be>
Date:       2011-07-27 10:17:42
Message-ID: AAD316D782B99545AEF3C52BBF3B1832A141716866 () ICTS-S-EXC2-CA ! luna ! kuleuven ! be
[Download RAW message or body]


Hello,

We have the same problem with our juniper ssl vpn.
We noticed that SP's using the SAML2 Artifact protocol get through without
problems.

Bart

-----Original Message-----
From: Peter Schober [mailto:peter.schober@univie.ac.at] 
Sent: woensdag 27 juli 2011 9:25
To: users@shibboleth.net
Subject: Re: Juniper ssl vpn strips double slash

* Francesco Malvezzi <francesco.malvezzi@unimore.it> [2011-07-26 15:29]:
> when accessing a SP inside juniper ssl vpn, users authenticate on Idp, 
> then receive an error:
> 
> Error Message: No profile handler configured for request at path:
> /SAML2/Redirect/http:/sp.cesia.unimo.it/Shibboleth.sso/SAML2/POST
> 
> It looks the correct url: http://sp.cesia.unimo.it get stripped by a 
> slash and now is not correct any more: http:/sp.cesia.unimo.it

The problem is not dropping one slash from the URL. Slapping on an URL at
the end of REQUEST_URI /SAML2/Redirect/ does not make a valid request (or
protocol endpoint).

> Has anybody experienced something similar? Are there known work-around?

I've been reported the exact same behaviour a couple weeks ago, only with
our Cisco VPN when used in "Web VPN" mode (not using a real VPN client on
the client maschine). The current workarounds for us are to a. Recomend use
of a locally installed vpn client instead of web vpn b. Try to get web site
owners to not require campus IP address ranges
   *and* SAML2 sessions simultaneously (the latter should suffice).

-peter

--
To unsubscribe from this group, send email to
users+unsubscribe@shibboleth.net

["smime.p7s" (application/pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]