Open access control for testing
Peter Schober
peter.schober at univie.ac.at
Wed Aug 12 08:02:06 UTC 2020
* Mathew, Sunil <smathew at hbs.edu> [2020-08-11 19:20]:
> Here is my problem. I deployed Shibboleth to ECS. But I was getting the following error in IdP logs:
>
> IDP_WARN: 2020-08-10 17:33:37,057 - 10.140.0.162 - ERROR
> [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
> - Message Handler: SAML message intended destination endpoint
> 'https://sso.hbsstg.org/idp/profile/SAML2/Redirect/SSO' did not
> match the recipient endpoint
> 'http://sso.hbsstg.org/idp/profile/SAML2/Redirect/SSO'
[...]
> requestScheme:http
> requestIsSecure:false
> requestServerPort:80
>
> We are trying to add tomcat valve with
> protocolHeader="x-forwarded-proto" so that we can get past the
> error.
Alternatively you could try setting the relevant attributes on the
relevant Tomcat (plain) HTTP Connector, e.g.
proxyPort="443"
scheme="https"
secure="true"
Of course you need to make sure there's no plain HTTP traffic being
accepted/forward to/from your TLS offloading service. (And IDP doesn't
need plain HTTP support, not even with redirects to HTTPS, so just
bock all non-HTTPS requests at the TLS offloading service.)
Cheers,
-peter
More information about the users
mailing list