Open access control for testing

Peter Schober peter.schober at
Wed Aug 12 08:02:06 UTC 2020

* Mathew, Sunil <smathew at> [2020-08-11 19:20]:
> Here is my problem. I deployed Shibboleth to ECS. But I was getting the following error in IdP logs:
> IDP_WARN: 2020-08-10 17:33:37,057 - - ERROR
> []
> - Message Handler: SAML message intended destination endpoint
> '' did not
> match the recipient endpoint
> ''
> requestScheme:http
> requestIsSecure:false
> requestServerPort:80
> We are trying to add tomcat valve with
> protocolHeader="x-forwarded-proto" so that we can get past the
> error.

Alternatively you could try setting the relevant attributes on the
relevant Tomcat (plain) HTTP Connector, e.g.


Of course you need to make sure there's no plain HTTP traffic being
accepted/forward to/from your TLS offloading service. (And IDP doesn't
need plain HTTP support, not even with redirects to HTTPS, so just
bock all non-HTTPS requests at the TLS offloading service.)


More information about the users mailing list