configuring shibboleth on AWS using ELB

Deirdre Kirmis Deirdre.Kirmis at
Tue Dec 17 12:12:08 EST 2019

Thank you so much, Scott(s)...I appreciate your responses. I have the SAML Tracer installed and will get the traces from both configurations and look through them, as you suggested. 

Also, I think all things are pointing to the fact that I need to add parameters in my <Session> configuration to preserve post data and repost it...just have to figure out how to do that.  I found this: and have been looking at the section "HTTP POST form data is lost when Shibboleth session expired or does not exist yet". 

I apologize, I did not realize support was typically only for members of the consortium, which it looks like our organization is not part of (I'm surprised)! I appreciate all of the help that I've gotten so far anyway!

Deirdre Kirmis
Technology Services
Arizona State University Library

-----Original Message-----
From: users <users-bounces at> On Behalf Of Scott Koranda
Sent: Tuesday, December 17, 2019 9:20 AM
To: Shib Users <users at>
Subject: Re: configuring shibboleth on AWS using ELB

> I am still struggling with this and trying to get it working.
> Shibboleth works perfectly on my server until I put it behind an AWS 
> load balancer.  Posting my configs, and wondering if anyone sees 
> anything that could be causing an issue? I appreciate any suggestions.

Hi Deirdre,

If I were to debug your issue, I would start by installing the SAML Tracer plugin in my web browser. It is available for both Firefox and for Chrome.

Then I would start with a clean browser (no history, no sessions, no cookies at all) and go through an entire flow and record it with SAML Tracer. I would do that first for the deployment without the AWS load balancer.

You can export the trace from the plugin and save it to a file, and then later reload it from that file.

Next I would do the same thing (again from a clean browser) but this time for the deployment with the AWS load balancer. I would again save the trace to a file.

I would then compare the two traces line by line and look for differences. I would pay special attention to cookies being set in the responses and which cookies are then sent back upstream. I would also compare the SAML assertions to the extent that I could (if the IdP encrypts the assertion you will not be able to see all of it in SAML Tracer, but you should be able to examine the envelope).

If when comparing the two traces nothing jumps out at you, you could post them (they are just JSON files) somewhere where community members on this list could download them and examine them (, or a GitHub gist, or whatever would be easy). If you do that, however, be aware that you need to first scrub your password from the JSON trace--it is often recorded if your password is sent upstream to the IdP via a normal POST.

I find this approach helpful, in addition to looking at log files, since it records all the details of the back and forth between your web browser and the IdP and SP.

My apologies if I am telling you things you already know or have tried...


Scott K
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list