On Tue, 20 Dec 2011, Lanxin Ma wrote: > Shuld I run HTTPS everywhere in invenio if I intergrate Shobboleth > with Invenio ?
It is not necessary strictly speaking, e.g. public pages like `/search' for public collections or `/help' pages can still live under HTTP, e.g. guests can use HTTP, etc. However, once people log in via SSO, then it is preferable (security-wise) that HTTPS remains used for every resource from then on. This is also why we switched to this behaviour in Invenio master branch few months ago. Best regards -- Tibor Simko
