shibidp4 idp.propreties

Question

shibidp4 idp.propreties

Closed this issue 4 years ago · 2 comments

I think that the following could be usefull for security reasons

idp.cookie.secure = true
idp.frameoptions = DENY

Answer 1 · 2020-10-29T22:41:21.000Z

Hi Giuseppe and forgive me for this very late answer... :(

"idp.cookie.secure" property has been set to "false" on Shibboleth IdP v3.x for backward compatibility but should be set to true in most cases so... You are right! Fortunately, on the new Shibboleth v4.x the default value of this property has been changed to "true".

The default value of "idp.frameoptions" property has been set to "DENY" from the Shibboleth IdP v3.4.0: IdP 3.x - Release Note

Thank you so much!

Answer 2 · 2020-10-30T08:10:11.000Z

better late then never 👍