SAML message intended destination endpoint did not match the recipient endpoin

Gustavo Duarte gus.duarte at gmail.com
Wed Mar 11 11:53:15 EDT 2020


Thanks Matthew for you response but, as Peter said I'm using Jetty, not
Tomcat.

Peter, you are right I should use Ubuntu 18 but I didn't know the 4.0
shibboleth is already released, good news.

I'm going to try remove Apache and let Jetty working alone.

Thanks

El mié., 11 mar. 2020 a las 12:46, Peter Schober (<
peter.schober at univie.ac.at>) escribió:

> * Matthew Slowe <Matthew.Slowe at jisc.ac.uk> [2020-03-11 16:38]:
> > As luck would have it, I ran into the same problem this morning. For
> > me, this was due to Tomcat not understanding that the real HTTP
> > traffic (being terminated by Apache httpd) was done over https.
> >
> > My fix was to amend the <Connector> block and add a “Valve” to the
> > Tomcat server.xml’s <Engine> block:
>
> Only that the OP is using Jetty, not Tomcat.
>
> >     <Valve className="org.apache.catalina.valves.RemoteIpValve"
> >            internalProxies=“10.1.2.0/16"
> >            remoteIpHeader="x-forwarded-for"
> >            remoteIpProxiesHeader="x-forwarded-by"
> >            protocolHeader="x-forwarded-proto"
> >     />
> >
> > Connector might now look like:
> >
> > <Connector address=“..." port=“8080" protocol="HTTP/1.1" proxyPort="443"
> scheme="https" secure="true" />
>
> For httpd+Tomcat you shouldn't be HTTP proxying at all, IMO, but use
> AJP between them. Then all that's needed is virtualising the scheme
> and proxyPort (as shown above), if even that's still needed.
> Or drop Apache httpd completely and only use Tomcat, really.
>
> That last suggestion (drop Apache httpd and use the servlet container
> as TLS-enabled webserver, too) would also apply to the OP and Jetty,
> of course.
>
> Personally I wouldn't set up a new system on Ubuntu 16 LTS (when 18
> LTS exists), I wouldn't use httpd anymore and I wouldn't be installing
> IDPv3 when IDPv4 was released *today*.
>
> -peter
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200311/2cf35147/attachment.html>


More information about the users mailing list