[Shib-Users] SAML message delivered with POST to incorrect server URL
Ulises Castillo
Hi,
We are currently testing our SP configuration with TestShib and we are getting a “SAML message delivered with POST to incorrect server URL”. We suspect the error may be related to our web farm configuration. We have two web servers running IIS 6.0 where Shibboleth SP is installed, plus a load balancer (NetScaler) with SSL Accelerator installed. The SSL accelerator causes SSL traffic to be off-loaded between the load balancer and the web servers, so in fact the external HTPS becomes an internal HTTP. This is fine for most web applications since the external traffic is still SSL encrypted, but we are wondering is this may be an issue with Shibboleth.
The error message details are below and the configuration and log files are attached. We’ll provide the log file or any file under request.
Please advise,
Thank you and regards,
Ulises Castillo
opensaml::BindingException
The system encountered an error at Mon Jun 08 11:02:06 2009
To report this problem, please contact the site administrator at root@localhost.
Please include the following message in any email:
opensaml::BindingException at (http://uat68.learn.com/Shibboleth.sso/SAML2/POST)
SAML message delivered with POST to incorrect server URL.
Scott Cantor
> We are currently testing our SP configuration with TestShib and we are
> getting a "SAML message delivered with POST to incorrect server URL". We
> suspect the error may be related to our web farm configuration. We have
two
> web servers running IIS 6.0 where Shibboleth SP is installed, plus a load
> balancer (NetScaler) with SSL Accelerator installed. The SSL accelerator
> causes SSL traffic to be off-loaded between the load balancer and the web
> servers, so in fact the external HTPS becomes an internal HTTP. This is
fine
> for most web applications since the external traffic is still SSL
encrypted,
> but we are wondering is this may be an issue with Shibboleth.
Actually, it's not fine at all unless your applications are generating
hardcoded redirects (which is brittle for obvious reasons). IIS doesn't
support this kind of thing natively, which seems to escape a lot of people's
notice.
I hacked around it for the purposes of the SP, but I can't fix the
application side of things.
https://spaces.internet2.edu/display/SHIB2/NativeSPNoSSL
My advice is not to use IIS in a manner it doesn't itself support, but you
can get the SP to work using the appropriate Site properties.
-- Scott
Ulises Castillo
it works now.
Ulises Castillo
Thank you for your reply. However our IT group responsible for IIS
configuration is still experiencing problems with the concept of having
a "virtual web site running behind an SSL accelerate" for the https
schema suggested in the link provided:
https://spaces.internet2.edu/display/SHIB2/NativeSPISAPI
Could you please expand a little bit more on the following questions:
1. Since we don't have a default web site with ID=1 (instead we have
several web sites depending on the application and the client) we are
assuming that the ID for the first Site element in the example must be
the value of the Identifier (as displayed in the IIS Manager summary
window) for the web site that will handle port 80 traffic for the
Shibboleth ISAPI. Correct?
2. Regarding the ID for the second Site element in the example
(id="1534573457") we have a couple of questions. Is that the Identifier
of a new IIS web site that must be created specifically for the purpose
of handling the https schema? If so, what are the IP and headers that
should go into that web site? Also, couldn't we just add the
schema="https" attribute to the first Site element and combine both
entries into one, perhaps by adding the appropriate headers to the port
80 web site above?
3. The Site element has port and sslport attributes, but in the example
provided only port=443 is mentioned. We are assuming that the value of
sslport is not relevant in this case, correct?
Thanks and regards,
Ulysses
Learn.com
-----Original Message-----
From: Scott Cantor [mailto:cant...@osu.edu]
Sent: Tuesday, June 09, 2009 5:00 PM
To: shibbole...@internet2.edu
Scott Cantor
> 1. Since we don't have a default web site with ID=1 (instead we have
> several web sites depending on the application and the client) we are
> assuming that the ID for the first Site element in the example must be
> the value of the Identifier (as displayed in the IIS Manager summary
> window) for the web site that will handle port 80 traffic for the
> Shibboleth ISAPI. Correct?
You have to define a Site mapping in shibboleth2.xml for every IIS site that
you want the SP to see requests into and accurately perform any work on. Any
sites without a mapping will be ignored by the SP. There's no special
significance to the ID of 1. If you're not using a web site with that
instance ID, it doesn't need to be mapped.
There is no implied order to the <Site> elements you create. It's just a
mapping from IIS instance ID to the hostname and other properties you
supply.
> 2. Regarding the ID for the second Site element in the example
> (id="1534573457") we have a couple of questions. Is that the Identifier
> of a new IIS web site that must be created specifically for the purpose
> of handling the https schema?
That's an example that I thought would be clearer and apparently isn't. I
tried to explain what the example means in the text. If you could tell me
what's unclear about the text, I'll fix it.
> Also, couldn't we just add the
> schema="https" attribute to the first Site element and combine both
> entries into one, perhaps by adding the appropriate headers to the port
> 80 web site above?
You map the IIS site you're using into the logical port/scheme/hostname it's
serving. That's all I can tell you. Whether it's one site or two or ten is
up to the IIS configuration you're using.
> 3. The Site element has port and sslport attributes, but in the example
> provided only port=443 is mentioned. We are assuming that the value of
> sslport is not relevant in this case, correct?
sslport is only used when the request is physically https and allows a
single site running both http and https to serve two different virtualized
ports. If a site is physically http only, then only "port" is every used.
I've never seen a use case come up for sslport because people are usually
offloading the SSL.
-- Scott