IDP 3 SSL off-load

Robert Duncan Robert.Duncan at ncirl.ie
Thu Jun 16 12:23:44 EDT 2016


Hi,

After a in place upgrade from 2.3 to 3.2.1 runiing on Windows I get the following error from message handler

Message Handler:  Checking SAML message intended destination endpoint against receiver endpoint
2016-06-16 15:30:10,010 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:190] - Message Handler:  Intended message destination endpoint: https://idp.ncirl.ie/idp/profile/SAML2/Redirect/SSO
2016-06-16 15:30:10,010 - DEBUG [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:191] - Message Handler:  Actual message receiver endpoint: http://idp.ncirl.ie/idp/profile/SAML2/Redirect/SSO
2016-06-16 15:30:10,010 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200] - Message Handler:  SAML message intended destination endpoint 'https://idp.ncirl.ie/idp/profile/SAML2/Redirect/SSO' did not match the recipient endpoint 'http://idp.ncirl.ie/idp/profile/SAML2/Redirect/SSO'
2016-06-16 15:30:10,010 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:182] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
org.opensaml.messaging.handler.MessageHandlerException: SAML message failed received endpoint check

it's endpoint schema mismatch, I am using the jetty container behind IIS proxy and SSL is offloaded at a network load balancer.

I have SSL on LB and also a self signed on IIS for MITM - what is the authoritative source for endpoints? Because in the meatadata and in reality there is a message receiver on the https schema, since I already have 2 ssl certificates and want to ignore jetty completely how can I 'tell' the IDP what the endpoints are, and why is the 'Actual message receiver endpoint' http now. - Presumably this is something I have to configure in Jetty?

Thanks,
Rob.


________________________________

The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
________________________________


More information about the users mailing list