...
Note that in order for export to occur, the exportLocation and exportACL properties must be set for the relevant application's <Sessions> element.
Distributed Scenarios
In some cases, it's possible for the code that needs to perform the retrieval to be running on a different host from the SP itself. One such scenario would be a Java container fronted by Apache, such that Apache and the SP run separately from the Java container. The SP doesn't provide any real way of "securing" the retrieval step.
In particular, a non-localhost request would be subject to various attacks unless the retrieving code included some kind of TLS-based authentication check. The SP itself relies only on IP address checking to limit who can access the assertions, and this is much less safe when values other than the loopback address are allowed.
One solution to this problem is to use an SSH tunnel between the retrieving host and the host running the SP. An untested command to achieve this might look like:
| Code Block |
|---|
ssh <username>@<sp.example.org> -L 80:localhost:80 -f -N |