[Shib-Users] Add custom headers to the /Shibboleth.sso URL in Apache...

[Moni Patil]

I am using iFrame to request URL for an SP (2.0).

 

The problem is that, the cookies are blocked by IE because they are considered as third-party. It works, if I set the security level to LOW.

 

Another option is to add a custom “p3p” header and IE will accept the third party cookie even at Medium-High security level.

 

Is there a way to add this header for calls to /Shibboleth.sso url? I tried in Apache and was not able to. It works for ALL the urls, except for this one.

 

Thanks,

 

Moni Patil
TNS
5 High Ridge Park, 3rd Floor
Stamford, CT 06905

Phone: 203-653-9609

Email: moni....@tns-global.com

 

[Scott Cantor]

> Is there a way to add this header for calls to /Shibboleth.sso url? I
tried
> in Apache and was not able to. It works for ALL the urls, except for this
> one.

I don't know of any reason other than the Apache feature you're using isn't
fully compatible with Apache's own internals. I assume you're trying to
attach a response header. mod_shib doesn't do anything to prevent that
unless Apache itself does.

If you need the SP to do something itself (like manually inserting response
headers), you'll have to file a request for that.

As a practical matter, I don't think the p3p solution is really worth
pursuing. Hacking around browser limitations is a sign that what you're
doing isn't going to be reliable or consistent.

-- Scott