SAML message intended destination endpoint did not match the recipient endpoin

Gustavo Duarte gus.duarte at gmail.com
Wed Mar 11 13:57:31 EDT 2020 

Just to let you know, I achieved to make work Apache + Jetty setup
following this https://www.eclipse.org/lists/jetty-users/msg05429.html

The problem was, Jetty need particular configuration to handle
X-Forwarded-For headers.

Thanks for your time.

Regards.


El mié., 11 mar. 2020 a las 12:53, Gustavo Duarte
(<gus.duarte at gmail.com>) escribió:
>
> Thanks Matthew for you response but, as Peter said I'm using Jetty, not Tomcat.
>
> Peter, you are right I should use Ubuntu 18 but I didn't know the 4.0 shibboleth is already released, good news.
>
> I'm going to try remove Apache and let Jetty working alone.
>
> Thanks
>
> El mié., 11 mar. 2020 a las 12:46, Peter Schober (<peter.schober at univie.ac.at>) escribió:
>>
>> * Matthew Slowe <Matthew.Slowe at jisc.ac.uk> [2020-03-11 16:38]:
>> > As luck would have it, I ran into the same problem this morning. For
>> > me, this was due to Tomcat not understanding that the real HTTP
>> > traffic (being terminated by Apache httpd) was done over https.
>> >
>> > My fix was to amend the <Connector> block and add a “Valve” to the
>> > Tomcat server.xml’s <Engine> block:
>>
>> Only that the OP is using Jetty, not Tomcat.
>>
>> >     <Valve className="org.apache.catalina.valves.RemoteIpValve"
>> >            internalProxies=“10.1.2.0/16"
>> >            remoteIpHeader="x-forwarded-for"
>> >            remoteIpProxiesHeader="x-forwarded-by"
>> >            protocolHeader="x-forwarded-proto"
>> >     />
>> >
>> > Connector might now look like:
>> >
>> > <Connector address=“..." port=“8080" protocol="HTTP/1.1" proxyPort="443" scheme="https" secure="true" />
>>
>> For httpd+Tomcat you shouldn't be HTTP proxying at all, IMO, but use
>> AJP between them. Then all that's needed is virtualising the scheme
>> and proxyPort (as shown above), if even that's still needed.
>> Or drop Apache httpd completely and only use Tomcat, really.
>>
>> That last suggestion (drop Apache httpd and use the servlet container
>> as TLS-enabled webserver, too) would also apply to the OP and Jetty,
>> of course.
>>
>> Personally I wouldn't set up a new system on Ubuntu 16 LTS (when 18
>> LTS exists), I wouldn't use httpd anymore and I wouldn't be installing
>> IDPv3 when IDPv4 was released *today*.
>>
>> -peter
>> --
>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list