In the past you had to hack lib/SimpleSAML/Utilities.php and simply
always return 'https' from getSelfProtocol() and 443 for $portnumber
but I think this should now be configurable.
Check the archives (or code ;), I'm pretty sure it's in there,
-peter
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
I just want to add that there is code in subversion that makes this
much easier, but there is no release containing that code yet.
Regards,
Olav Morken
UNINETT / Feide
X-Forwarded-Proto=https
So if you have something similar, you trust your reverse proxy, and you're sure that requests cannot go directly to apache, you can use SetEnvIf like so in .htaccess (see https://httpd.apache.org/docs/2.2/mod/mod_setenvif.html#setenvif for doc and further examples):
SetEnvIf X-Forwarded-Proto https HTTPS=on
Now most php applications that check for a secure connection using the HTTPS environment variable (including simplesamlphp) will think the connection is secure. This will get rid of that warning.
Our problem was that the AssertionConsumerServiceURL in the <samlp:AuthnRequest/> sent over to the IdP started with http instead of https. This caused the IdP to send the browser back to an http URI on our end instead of the correct https URI. This actually causes SSO problems in Microsoft Edge because it doesn't re-POST (it does a GET instead) when it gets a 302 redirect, which is precisely what it gets from our reverse proxy when it tries an http URI. Firefox, Chrome and other browsers just re-POST so we didn't discover this until pretty late into testing.
Unfortunately, the problems continue. SimpleSAML_Utilities::selfURLhost() also likes to append the port number to the hostname if the port doesn't match the default port for the given (http/https) protocol. So after the fix above, browsers were being sent to https://our-app.example.com:80/lib/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp, which of course caused the browsers to not successfully connect to the reverse proxy.
In order to fix this, we ended up improving the code in selfURLhost() a bit where it sets the $portnumber:
$portnumber = isset($_SERVER["X_FORWARDED_PORT"]) ? $_SERVER["X_FORWARDED_PORT"] : null;
$portnumber = $portnumber ? $portnumber : (isset($_SERVER["SERVER_PORT"]) ? $_SERVER["SERVER_PORT"] : 80);
Of course, we also had to get nginx to also send over the original port to apache2:
proxy_set_header X-Forwarded-Port $server_port;
Now browsers are correctly being sent to https://our-app.example.com/lib/simplesaml/www/module.php/saml/sp/saml2-acs.php/default-sp by the IdP (as this is the URI our simplesamlphp SP provides) and all browsers are happy, including Microsoft Edge. And everybody gets fewer redirects. Excellent!
Hope that helps!
Best,
Bojan