Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] port numbers in metadata

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] port numbers in metadata

Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: RE: [Metadata-Support] port numbers in metadata
  • Date: Thu, 7 Jul 2016 13:39:16 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=bestguesspass action=none;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

> Same reason as back-channel stuff tends to cause trouble, which is that
> firewalls can block that port. As well as being a problem you'd need to
fix at
> the IdP side, you need to be prepared to deal with odd firewall behaviour
> any location a client tries to authenticate from, where with the back
> it's "only" the firewalls at SP locations.

Some browsers won't even connect by default to atypical ports, though I
think 8443 still tends to be allowed. There really is just no reason
whatsoever to play games with this.

> A minor issue is that if you ever did want the IdP to grow a back channel
> any reason, you'd have to go even more off the reservation as you don't
> want to run front and back channel on the same port.

That's pretty much over now, sort of. We certainly have no documentation
about it, but the IdP and SP now are both equipped to operate cleanly over
port 443 for SOAP messaging by turning on signing and encryption
automatically, at least if one accepts that as a viable security model (and
the rest of the world certainly does).

-- Scott

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Archive powered by MHonArc 2.6.19.

Top of Page