Invalid HTTP method (GET) error on SAML2/POST

HCUK eLearning daveperryatwork at gmail.com
Thu Mar 29 09:19:58 EDT 2018 

Hopefully this reply explains where we're at better (my head is getting
muddled, probably why what I wrote last time left some things not clearly
explained)...

The old external URL for the server was https://heritage.srv.hull-
college.ac.uk - it is now https://heritage.hull-college.ac.uk

Sophos UTM is our a new reverse proxy - it's the reason we have to change
the name (Forefront TMG is the one we're phasing out - old and
unsupported). Names given in case anyone happens to have direct experience
of UTM as a reverse proxy.

We've made some changes and have the following results...

The HTTPS certificate is now straight on IIS on the server running the SP.
So now all traffic is secure to it (including internally).
Triggering a shibboleth login page, with my VM hosts file pointing directly
at the internal server for heritage.hull-college.ac.uk, it works as it
should (I trigger a login attempt, login, then get taken to the URL I asked
for, hurrah).

But if I point my hosts file at UTM, I get this error from shibboleth IdP
now (when I've tried triggering a login attempt):

ERROR - Unable to Respond
The login service was unable to identify a compatible way to respond to the
requested resource. This is generally to due to a misconfiguration on the
part of the resource and should be reported.

And I get the following error in the log file:

2018-03-29 13:34:19,210 - DEBUG
[org.opensaml.saml.common.binding.impl.DefaultEndpointResolver:126] -
Endpoint Resolver
org.opensaml.saml.common.binding.impl.DefaultEndpointResolver: Neither
candidate endpoint location '
http://heritage.hull-college.ac.uk/Shibboleth.sso/SAML2/POST' nor response
location 'null' matched '
https://heritage.hull-college.ac.uk/Shibboleth.sso/SAML2/POST'

I wonder if this mismatch is the cause of the error displayed. I've
attached the metadata I created (from the IdP - with key removed
obviously), which has the correct URLs for the various bits.

How can I get shibboleth to realise it is on https on the SP side, to avoid
the mismatch error above? Looking at the RequestMap again, I can't see a
way of getting it to be explicitly https - or from the documentation.
I have made the following change in the InProcess section for IIS:
<Site id="1" name="heritage.hull-college.ac.uk" scheme="https" port="443"/>
But this didn't work (didn't make things any worse, but didn't help).



Dave

On Wed, Mar 28, 2018 at 8:45 PM, Peter Schober <peter.schober at univie.ac.at>
wrote:

> * HCUK eLearning <daveperryatwork at gmail.com> [2018-03-28 17:05]:
> > An SP-protected site is changing its URL (it had .srv in the URL
>
> What "the URL"? In protocol endpoints? In the entityID?
>
> > It now works fine on http, if I point my hosts file to the test
> > server. The server does not have our external wildcard https
> > certificate on it - it hasn't a clue that Sophos UTM (our reverse
> > proxy) is doing this.
>
> No idea what that means.
>
> > UTM (v9), which has been setup to receive traffic from that URL to
> > the same server running the SP, causes an error when I've logged
> > into Shibboleth successfully:
>
> No idea what that means.
>
> > opensaml::BindingException at (
> > http://heritage.hull-college.ac.uk/Shibboleth.sso/SAML2/POST)
> > Invalid HTTP method (GET).
>
> That couldn't be any clearer, though.
>
> > Equally, why is it mentioning http:// in the above error when it
> > should be using https from the outside world? It not knowing about
> > the reverse proxy may be involved.
> >
> > Any advice on how to keep all traffic HTTPs appreciated (extra
> > detail, it's an IIS set and I've only set shibd to listen to the
> > Default web site, as this is the one that UTM points to from the
> > outside world).
>
> The Shib SP provides/needs extra configuration to make virtualisation
> work with IIS, AFAIR. Check the documentation for the RequestMap.
>
> If you're actually asking "how to keep all traffic HTTPS" then that's
> your answer: You run the web server with HTTPS-only, and the proxy
> acts as both an HTTP(S) web server and as an HTTPS client.
> Whether that's necessary depends on the network shared between your
> web server and the reverse proxy (assuming the web server isn't
> accessible directly).
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180329/95199264/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sp-metadata-heritage0517_nokey.xml
Type: text/xml
Size: 5326 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20180329/95199264/attachment.xml>

More information about the users mailing list