NetID Login Service - Importance of Secure Cookies

For Shibboleth to provide secure authentication, users must be required to communicate with the application server and the login server over an encrypted connection, so that user-specific data is not passed over the internet in plain text. There are just a couple steps to requiring an encrypted connection for all Shibboleth traffic:

Force SSL on all Paths

Any path you define as requiring Shibboleth authentication should be accessible only over SSL.

On a Windows server, you can accomplish this by adding the redirectToSSL="443" attribute to all Path elements in the RequestMap of your shibboleth2.xml (NetID Login Service - Requiring Shibboleth Authentication). If you're using a port other than 443 for SSL, use that value instead. (Note that to configure Shibboleth to use a non-standard SSL port, the port number and scheme "https" must be specified in the Host element.)

In Apache, you can force SSL in a variety of ways using native functionality.

Use cookieprops

You can use the cookieprops attribute in the Sessions element of your shibboleth2.xml to limit cookie use to requests made over SSL. To do this, you add cookieProps="; path=/; secure; HttpOnly" to your Sessions element and set handlerSSL="true".

Example Sessions element using cookieprops:

<Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="true"
cookieProps="; path=/; secure; HttpOnly" exportLocation="localhost/Shibboleth.sso/GetAssertion" exportACL="127.0.0.1"
idpHistory="false" idpHistoryDays="7">

Keywords:

netid login webiso secure cookie shibboleth sp service provider ssl shib

Doc ID:

20429

Owned by:

MST Support in Identity and Access Management

Created:

2011-09-26

Updated:

2022-05-25

Sites:

DoIT Help Desk, Identity and Access Management, Identity and Access Management

0 1 Comment Suggest new doc