Invalid HTTP method (GET) error on SAML2/POST

Peter Schober peter.schober at
Wed Mar 28 15:45:22 EDT 2018

* HCUK eLearning <daveperryatwork at> [2018-03-28 17:05]:
> An SP-protected site is changing its URL (it had .srv in the URL

What "the URL"? In protocol endpoints? In the entityID?

> It now works fine on http, if I point my hosts file to the test
> server. The server does not have our external wildcard https
> certificate on it - it hasn't a clue that Sophos UTM (our reverse
> proxy) is doing this.

No idea what that means.

> UTM (v9), which has been setup to receive traffic from that URL to
> the same server running the SP, causes an error when I've logged
> into Shibboleth successfully:

No idea what that means.

> opensaml::BindingException at (
> Invalid HTTP method (GET).

That couldn't be any clearer, though.

> Equally, why is it mentioning http:// in the above error when it
> should be using https from the outside world? It not knowing about
> the reverse proxy may be involved.
> Any advice on how to keep all traffic HTTPs appreciated (extra
> detail, it's an IIS set and I've only set shibd to listen to the
> Default web site, as this is the one that UTM points to from the
> outside world).

The Shib SP provides/needs extra configuration to make virtualisation
work with IIS, AFAIR. Check the documentation for the RequestMap.

If you're actually asking "how to keep all traffic HTTPS" then that's
your answer: You run the web server with HTTPS-only, and the proxy
acts as both an HTTP(S) web server and as an HTTPS client.
Whether that's necessary depends on the network shared between your
web server and the reverse proxy (assuming the web server isn't
accessible directly).


More information about the users mailing list