[Shib-Users] Idp and Sp on the same server behind the LB

111 views
Skip to first unread message

Daniele Russo

unread,
May 23, 2011, 12:41:39 PM5/23/11
to shibbole...@internet2.edu
In our intranet configuration, we have idp and sp on the same server behind the loader balancer.
The configuration of the balancer is designed to increase performance of server, so the SSL encoding is done by the load balancer.
The client talks with LB on port 443, LB talks with servers on port 80.
Idp is deployed under tomcat, apache invokes tomcat by mod_jk.
In apache we have setted ServerName to https://examples.org:443 and UseCanonicalName to On, we receive this error by idp:

16:21:50.060 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:190] - Checking SAML message intended destination endpoint against receiver endpoint
16:21:50.061 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:209] - Intended message destination endpoint: https://example.org/idp/profile/SAML2/Redirect/SSO
16:21:50.061 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:210] - Actual message receiver endpoint: http://example.org/idp/profile/SAML2/Redirect/SSO
16:21:50.062 - ERROR [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:214] - SAML message intended destination endpoint 'https://example.org/idp/profile/SAML2/Redirect/SSO' did not match the recipient endpoint 'http://www-svil.inarcassa.it/idp/profile/SAML2/Redirect/SSO'
16:21:50.064 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:337] - Message did not meet security requirements
org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint


Where we wrong?

Thank you

Peter Schober

unread,
May 23, 2011, 12:53:37 PM5/23/11
to shibbole...@internet2.edu
* Daniele Russo <rud...@gmail.com> [2011-05-23 18:41]:

> In apache we have setted ServerName to https://examples.org:443 and
> UseCanonicalName to On, we receive this error by idp:
>
> 16:21:50.060 - DEBUG
> [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:190] - Checking
> SAML message intended destination endpoint against receiver endpoint
> 16:21:50.061 - DEBUG
> [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:209] - Intended
> message destination endpoint:
> https://example.org/idp/profile/SAML2/Redirect/SSO
> 16:21:50.061 - DEBUG
> [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:210] - Actual
> message receiver endpoint: http://example.org/idp/profile/SAML2/Redirect/SSO

Scott mentioned in the past that this looked like a bug in mod_jk (and
mod_proxy_ajp, where I saw the same behaviour) but I didn't take this
any further as you can virtualize the settings in Tomcat's AJP
connector as well. The documentation is at
http://tomcat.apache.org/tomcat-6.0-doc/config/ajp.html#Common_Attributes
e.g. proxyPort="443" scheme="https"
-peter

Reply all
Reply to author
Forward
0 new messages