How to configure ACS URL in proxy scenario

Sternath, Elmar elmar.sternath at
Wed Apr 22 15:47:31 EDT 2020

Dear experts,

I would like to host an application protected by Shibboleth SP behind a reverse proxy, like so: ->

The reverse proxy is an Apache, the application an IIS site hosted on port 443.

However, I do not get the ACS URL set properly in the SAML request. The SAML request always contains the ACS URL without the port number.

What I have tried already in shibboleth2.xml:

<Site id="3" name="" scheme="https" port="4433" />
combined with
            <Host name="" scheme="https" port="4433" >
                <Path name="mySAMLTest" authType="shibboleth" requireSession="true"/>

Result: /mySAMLTest is not protected any more

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" handlerURl="" cookieProps="https">

Result: ACS URL is set properly, but when the IdP redirects to it, it returns error 404

<Handler type="MetadataGenerator" Location="/Metadata" signing="false">

Result: ACS URL in Metadata file is set properly, but in the SAML request the port number is still missing.

>From my understanding, I have to tell the Shibboleth SP somehow to add the port number to the ACS URL when creating the SAML request, I am just not able to figure out how.

Any help would be very much appreciated.

Thanks in advance and br,

Here is the whole shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"

                <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
                                               <Library path="" fatal="true"/>

        <ISAPI normalizeRequest="true" safeHeaderNames="true">
            <Site id="3" name=""/>

    <RequestMapper type="Native">
            <Host name="">
                <Path name="mySAMLTest" authType="shibboleth" requireSession="true"/>

    <ApplicationDefaults entityID=""
        REMOTE_USER="eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" signing="true">

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https">

            <SSO entityID=""
                 discoveryProtocol="SAMLDS" discoveryURL="">

           <Logout>SAML2 Local</Logout>

            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl=" ::1" />

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false">

            <Handler type="Status" Location="/Status" acl=" ::1"/>

            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>

        <Errors supportContact="root at localhost"

        <MetadataProvider type="XML" validate="true"
                            url="" backingFilePath="metadata-saml20.xml" maxRefreshDelay="7200"/>

        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

       <CredentialResolver type="File" use="signing"
            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>


    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list