Open access control for testing

Mathew, Sunil smathew at hbs.edu
Wed Aug 12 19:09:15 UTC 2020 

We just added the VPN NAT address t o access control and that worked.

        <entry key="AccessByIPAddress">
            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'199.94.00.00/32', '127.0.0.1/32', '::1/128'} }" />
        </entry>

PS: This is a test environment that we are setting up Shibboleth in ECS and the security group is limiting to clients only from VPN ip address.

Sunil


On 8/12/20, 4:02 AM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:

    * Mathew, Sunil <smathew at hbs.edu> [2020-08-11 19:20]:
    > Here is my problem. I deployed Shibboleth to ECS. But I was getting the following error in IdP logs:
    > 
    > IDP_WARN: 2020-08-10 17:33:37,057 - 10.140.0.162 - ERROR
    > [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200]
    > - Message Handler: SAML message intended destination endpoint
    > 'https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsso.hbsstg.org%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO&data=02%7C01%7Csmathew%40hbs.edu%7Cde308d73e83d4630d4d408d83e96064e%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637328161378736967&sdata=iOWEEcNGiTmOYRS2Pq1mNdoaO1wGpjkR5bMREojkobs%3D&reserved=0' did not
    > match the recipient endpoint
    > 'https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsso.hbsstg.org%2Fidp%2Fprofile%2FSAML2%2FRedirect%2FSSO&data=02%7C01%7Csmathew%40hbs.edu%7Cde308d73e83d4630d4d408d83e96064e%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637328161378741957&sdata=pX6yxbFNPshWQdKyZI2v%2Bmt2e8Rm53F7pSqP2l%2FhmZs%3D&reserved=0'
    [...]
    > requestScheme:http
    > requestIsSecure:false
    > requestServerPort:80
    > 
    > We are trying to add tomcat valve with
    > protocolHeader="x-forwarded-proto" so that we can get past the
    > error.

    Alternatively you could try setting the relevant attributes on the
    relevant Tomcat (plain) HTTP Connector, e.g.

      proxyPort="443"
      scheme="https"
      secure="true"

    Of course you need to make sure there's no plain HTTP traffic being
    accepted/forward to/from your TLS offloading service. (And IDP doesn't
    need plain HTTP support, not even with redirects to HTTPS, so just
    bock all non-HTTPS requests at the TLS offloading service.)

    Cheers,
    -peter
    -- 
    For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7Csmathew%40hbs.edu%7Cde308d73e83d4630d4d408d83e96064e%7C09fd564ebf4243218f2db8e482f8635c%7C0%7C0%7C637328161378741957&sdata=C7yQbZDYtVik6b3R%2BfiFsxQNtdnAyjqymTcL22bPuCU%3D&reserved=0
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list