Per-Entity Metadata Working Group

[Jorj Bauer <>]

If the endpoint is trying to retrieve content via https, and it contacts 
a proxy to perform that work, then either

 - the proxy transparently proxies the TLS, and can't see the contents 
of the stream; or

 - you've configured the endpoint to subvert TLS in some way (skip TLS 
validation, or install custom root certificate that pretends to be what 
it's not).



On 7/27/16 5:29 PM, Nick Roy wrote:
> Why not?  The caching proxy takes the request and retrieves the target 
> document, then the SAML deployment trusts the presumably self-signed cert on 
> the caching proxy.  In any case, this is one reason it's great that our trust 
> model doesn't depend on browser TLS.
>
> Nick
>
> On 7/27/16, 3:04 PM, 
> "
>  on behalf of Jorj Bauer" 
> <
>  on behalf of 
> >
>  wrote:
>
>     >> That said, if others want to run their own local copy, why don't they 
> just stand up local
>     >> HTTP proxies?
>     >
>     > Caching proxies, at least. Obviously they can, but I was reacting to 
> the idea that we could somehow rely on that being common as a stopgap for the 
> primary being reliable enough. It was never the intent that the Shibboleth 
> implementation would demand that backstop.
>
>     ... until you migrate to https, and then you can't cache the
>     intermediate document.