I understand that you should use HTTPS for secure communication etc. however my testing application is HTTP (as it is only used by me). This is the only reason for asking this.
Google is being used as an identity provider for SAML, and here (bullet point 11) they state Note: The ACS URL has to start with https://. Is this simply a recommendation on the side of Google, or must all Service Providers have a HTTPS ACS URL? If it is the latter, are there any hacks to get it to work with HTTP without requiring a certificate?
I currently have it set up using HTTP and it does not work and so I'm trying to determine if this is the issue or some other mis-configuration.
Any help is appreciated, thanks!
I experimented around and the answer is no - the ACS URL must be https. Google SAML requires an encrypted service to talk to otherwise authentication will fail.