SAML authentication with nginx reverse proxy

899 views
Skip to first unread message

Eric Blanc

unread,
Oct 24, 2019, 4:58:58 AM10/24/19
to cBioPortal for Cancer Genomics Discussion Group
Hi,
Has anyone successfully setup a cbioportal instance behind an Nginx reverse Proxy doing SSL offloading in combination with SAML login?
 
Albeit having configured the entityBaseURL and having configured Spring:
 
    <b:bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
        <b:property name="scheme" value="https"/>
        <b:property name="serverName" value="ourdomain.tld"/>
        <b:property name="includeServerPortInRequestURL" value="false"/>
        <b:property name="contextPath" value="/"/>
    </b:bean>

we still receive the following error and can not figure out the cause:

SAML message intended destination endpoint did not match recipient endpoint

Would anyone be so kind to provide their configuration snippets?

Regards,
Brian

Andrew Blaket

unread,
Oct 24, 2019, 6:41:50 AM10/24/19
to cBioPortal for Cancer Genomics Discussion Group
I also have 

<b:property name="serverPort" value="443"/>


but I am using apache rather than nginx for the proxy


On the apache config that proxies through to my keycloak instance  has: 

RequestHeader set X-Forwarded-Proto "https"

RequestHeader set X-Forwarded-Port "443"


You might wish to increase the debugging so you can get it to tell you what the recipient endpoint it's trying to get at actually is?

Kind regards

Andy

Ino de Bruijn

unread,
Oct 31, 2019, 1:27:14 PM10/31/19
to Andrew Blaket, cBioPortal for Cancer Genomics Discussion Group
Hi Eric,

Hope you have been able to solve the issue. If not - we use webapp runner and had to explicitly set the reverse proxy url like this to make it work:


Best wishes,
Ino



--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/17f10705-945a-4a3b-a108-a7053b93ac3d%40googlegroups.com.

Ino de Bruijn

unread,
Oct 31, 2019, 1:28:25 PM10/31/19
to Andrew Blaket, cBioPortal for Cancer Genomics Discussion Group
See also this issue where someone found a different solution (not sure if this is similar to your issue):


Best wishes,
Ino
Reply all
Reply to author
Forward
0 new messages