SAML message intended destination endpoint did not match the recipient endpoin
Matthew Slowe
Matthew.Slowe at jisc.ac.uk
Wed Mar 11 11:37:45 EDT 2020
On 11 Mar 2020, at 15:32, Gustavo Duarte <gus.duarte at gmail.com<mailto:gus.duarte at gmail.com>> wrote:
2020-03-11 14:32:00,831 - 127.0.0.1 - ERROR [org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler:200] - Message Handler: SAML message intended destination endpoint 'https://idp.gusduarte.tech/idp/profile/SAML2/Redirect/SSO' did not match the recipient endpoint 'http://idp.gusduarte.tech/idp/profile/SAML2/Redirect/SSO’
Gustavo,
As luck would have it, I ran into the same problem this morning. For me, this was due to Tomcat not understanding that the real HTTP traffic (being terminated by Apache httpd) was done over https.
My fix was to amend the <Connector> block and add a “Valve” to the Tomcat server.xml’s <Engine> block:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies=“10.1.2.0/16"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
Connector might now look like:
<Connector address=“..." port=“8080" protocol="HTTP/1.1" proxyPort="443" scheme="https" secure="true" />
Hope that helps!
--
Matthew Slowe
Technical Specialist - Trust & Identity
Jisc Trust and Identity Services
UK Access Management Federation - Assent - Certificate Service and Domain Registry
https://jisc.ac.uk/network/trust-and-identity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200311/8e36df03/attachment.html>
More information about the users
mailing list