Why shibboleth IdP idp-metadata.xml recommends 8443 for SOAP?

Question

After the install.sh of 2.4.0 Shibboleth Identity Server, the idp-metadata.xml file is created. Why is that? Is not enough secure to use the standard HTTPS/443 port?

    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.com:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/SLO" />
    <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.com:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
    <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>

Thanks,

Tamas

Cross-post: http://serverfault.com/q/601487/131794 – unor Jun 04 '14 at 16:59 — unor, Jun 04 '14 at 16:59

score 0 · Answer 1 · answered Jun 09 '14 at 17:16

Using Linux, a non-privileged user like "tomcat" cannot bind to ports below 1024. Front-end load-balancers like Apache and Nginx start as the user root to bind to privileged ports like port 80 and port 443. A common setup would involve running your Tomcat instance on an unprivileged port like 8080 or 8443 and then proxying that port via Apache or Nginx.

Why shibboleth IdP idp-metadata.xml recommends 8443 for SOAP?

1 Answers1