Help Needed with SP HTTPS Reverse Proxy

David E. Newswanger David_Newswanger at
Mon Oct 2 14:30:45 EDT 2017

Thanks for the help. I fixed the ServerName on Apache and now the IDP responds to the correct endpoint.

Now I'm getting an error telling me that the signature could not be verified.

sp_1   | sp-shibd 2017-10-02 18:24:54 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [2]: unable to verify message signature with supplied trust engine
sp_1   | sp-transaction 2017-10-02 18:24:54 INFO Shibboleth-TRANSACTION [2]: New session (ID: ) with (applicationId: default) for principal from (IdP: at (ClientAddress: with (NameIdentifier: none) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: )
sp_1   | sp-transaction 2017-10-02 18:24:54 INFO Shibboleth-TRANSACTION [2]: Cached the following attributes with session (ID: ) for (applicationId: default) {
sp_1   | sp-transaction 2017-10-02 18:24:54 INFO Shibboleth-TRANSACTION [2]: }
sp_1   | sp-native 2017-10-02 18:24:54 ERROR Shibboleth.Listener [32] shib_handler: remoted message returned an error: Message was signed, but signature could not be verified.

I checked the SP's certs and everything looks fine. Do you have any idea if this is something that is related to running the SP behind a proxy?


    David Newswanger

From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Friday, September 29, 2017 4:35:20 PM
To: Shib Users
Subject: Re: Help Needed with SP HTTPS Reverse Proxy

On 9/29/17, 4:28 PM, "users on behalf of David E. Newswanger" <users-bounces at on behalf of David_Newswanger at> wrote:

>  I configured the SP to not handle SSL requests as shown below:

That isn't what that does, and I don't think that's what you want anyway.

> The interesting thing here is that the IDP seems to be hitting an HTTP endpoint (which is inactive), rather than the HTTPS
> endpoint that I configured in the metadata.

The IdP is asked by the SP to respond to http, and it finds no matching enpdoint in the metadata. The metadata is what is matched against, not what it chooses to use.

> I double checked the metadata for this SP a few times and I can't see any reason why the IDP is doing this.

Because it's in the SP's request.

> I've run out of ideas about what might be going wrong here, and I was wondering if any of you guys might be able to point me in
> the right direction?

The only thing you have to do is the one thing you didn't, virtualize your web server. None of this is about the SP, Shibboleth, or metadata and there are no settings required anywhere but your web server except on IIS.

Since it's Apache, your ServerName is wrong and that's really all there is to it.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list