Open access control for testing

Mathew, Sunil smathew at
Wed Aug 12 19:09:15 UTC 2020

We just added the VPN NAT address t o access control and that worked.

        <entry key="AccessByIPAddress">
            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'', '', '::1/128'} }" />

PS: This is a test environment that we are setting up Shibboleth in ECS and the security group is limiting to clients only from VPN ip address.


On 8/12/20, 4:02 AM, "users on behalf of Peter Schober" <users-bounces at on behalf of peter.schober at> wrote:

    * Mathew, Sunil <smathew at> [2020-08-11 19:20]:
    > Here is my problem. I deployed Shibboleth to ECS. But I was getting the following error in IdP logs:
    > IDP_WARN: 2020-08-10 17:33:37,057 - - ERROR
    > []
    > - Message Handler: SAML message intended destination endpoint
    > '' did not
    > match the recipient endpoint
    > ''
    > requestScheme:http
    > requestIsSecure:false
    > requestServerPort:80
    > We are trying to add tomcat valve with
    > protocolHeader="x-forwarded-proto" so that we can get past the
    > error.

    Alternatively you could try setting the relevant attributes on the
    relevant Tomcat (plain) HTTP Connector, e.g.


    Of course you need to make sure there's no plain HTTP traffic being
    accepted/forward to/from your TLS offloading service. (And IDP doesn't
    need plain HTTP support, not even with redirects to HTTPS, so just
    bock all non-HTTPS requests at the TLS offloading service.)

    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list