How to configure ACS URL in proxy scenario

Sternath, Elmar elmar.sternath at siemens.com
Wed Apr 22 15:47:31 EDT 2020 

Dear experts,

I would like to host an application protected by Shibboleth SP behind a reverse proxy, like so:

https://samltest.example.org:4433/mySAMLTest -> https://samltest.example.org/mySAMLTest

The reverse proxy is an Apache, the application an IIS site hosted on port 443.

However, I do not get the ACS URL set properly in the SAML request. The SAML request always contains the ACS URL without the port number.

What I have tried already in shibboleth2.xml:

<Site id="3" name="samltest.example.org" scheme="https" port="4433" />
combined with
<RequestMap>
            <Host name="samltest.example.org" scheme="https" port="4433" >
                <Path name="mySAMLTest" authType="shibboleth" requireSession="true"/>
            </Host>

Result: /mySAMLTest is not protected any more


<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" handlerURl="https://samltest.example.org:4433/Shibboleth.sso" cookieProps="https">

Result: ACS URL https://samltest.example.org:4433/Shibboleth.sso/SAML2/POST is set properly, but when the IdP redirects to it, it returns error 404


<Handler type="MetadataGenerator" Location="/Metadata" signing="false">
                                                               <EndpointBase>https:// samltest.example.org:4433/Shibboleth.sso</EndpointBase<https://%20samltest.example.org:4433/Shibboleth.sso%3c/EndpointBase>>
</Handler>

Result: ACS URL in Metadata file is set properly, but in the SAML request the port number is still missing.


>From my understanding, I have to tell the Shibboleth SP somehow to add the port number to the ACS URL when creating the SAML request, I am just not able to figure out how.

Any help would be very much appreciated.

Thanks in advance and br,
Elmar

Here is the whole shibboleth2.xml:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
    clockSkew="180">

                <OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a">
                               <Extensions>
                                               <Library path="plugins.so" fatal="true"/>
                               </Extensions>
                </OutOfProcess>

    <InProcess>
        <ISAPI normalizeRequest="true" safeHeaderNames="true">
            <Site id="3" name="samltest.example.org"/>
        </ISAPI>
    </InProcess>

    <RequestMapper type="Native">
        <RequestMap>
            <Host name="samltest.example.org">
                <Path name="mySAMLTest" authType="shibboleth" requireSession="true"/>
            </Host>
        </RequestMap>
    </RequestMapper>

    <ApplicationDefaults entityID="https://samltest.example.org:4433/shibboleth"
        REMOTE_USER="eppn subject-id pairwise-id persistent-id"
        cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" signing="true">

        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https">

            <SSO entityID="https://idp.example.org"
                 discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
              SAML2
            </SSO>

           <Logout>SAML2 Local</Logout>

            <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false">
                                                               <EndpointBase>https://samltest.example.org:4433/Shibboleth.sso</EndpointBase>
                                               </Handler>

            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <Handler type="Session" Location="/Session" showAttributeValues="false"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <Errors supportContact="root at localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>

        <MetadataProvider type="XML" validate="true"
                            url="https://idp.example.org/pf/federation_metadata.ping?PartnerSpId=https://samltest.example.org:4433/shibboleth" backingFilePath="metadata-saml20.xml" maxRefreshDelay="7200"/>

        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

       <CredentialResolver type="File" use="signing"
            key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
        <CredentialResolver type="File" use="encryption"
            key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>

    </ApplicationDefaults>

    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

</SPConfig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200422/ad67ae8d/attachment.html>

More information about the users mailing list