SAML message intended destination endpoint did not match the recipient endpoin

Peter Schober peter.schober at
Wed Mar 11 11:45:33 EDT 2020

* Matthew Slowe <Matthew.Slowe at> [2020-03-11 16:38]:
> As luck would have it, I ran into the same problem this morning. For
> me, this was due to Tomcat not understanding that the real HTTP
> traffic (being terminated by Apache httpd) was done over https.
> My fix was to amend the <Connector> block and add a “Valve” to the
> Tomcat server.xml’s <Engine> block:

Only that the OP is using Jetty, not Tomcat.

>     <Valve className="org.apache.catalina.valves.RemoteIpValve"
>            internalProxies=“"
>            remoteIpHeader="x-forwarded-for"
>            remoteIpProxiesHeader="x-forwarded-by"
>            protocolHeader="x-forwarded-proto"
>     />
> Connector might now look like:
> <Connector address=“..." port=“8080" protocol="HTTP/1.1" proxyPort="443" scheme="https" secure="true" />

For httpd+Tomcat you shouldn't be HTTP proxying at all, IMO, but use
AJP between them. Then all that's needed is virtualising the scheme
and proxyPort (as shown above), if even that's still needed.
Or drop Apache httpd completely and only use Tomcat, really.

That last suggestion (drop Apache httpd and use the servlet container
as TLS-enabled webserver, too) would also apply to the OP and Jetty,
of course.

Personally I wouldn't set up a new system on Ubuntu 16 LTS (when 18
LTS exists), I wouldn't use httpd anymore and I wouldn't be installing
IDPv3 when IDPv4 was released *today*.


More information about the users mailing list