Simplesaml redirecting to HTTP instead of HTTPS
2,549 views
Skip to first unread message
psylovibe
Jan 30, 2013, 2:31:16 PM1/30/13
to simple...@googlegroups.com
I have my HTTPS setup on the load balancer and decrypts and sends raw data to the app servers.
When I hit https://www.mysite.com/sso/saml it directs to the identity provider under HTTP not HTTPS.
In my authsource:
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => 'https://www.mydomain.com/sso/saml',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => NULL,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => NULL,
'privatekey' => 'mydomain.pem',
'certificate' => 'mydomain.crt',
'RelayState' => 'https://www.mydomain.com/sso/saml',
),
How can I enforce simplesaml to always use HTTPS?
When I hit https://www.mysite.com/sso/saml it directs to the identity provider under HTTP not HTTPS.
In my authsource:
'default-sp' => array(
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated based on the metadata URL.
'entityID' => 'https://www.mydomain.com/sso/saml',
// The entity ID of the IdP this should SP should contact.
// Can be NULL/unset, in which case the user will be shown a list of available IdPs.
'idp' => NULL,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => NULL,
'privatekey' => 'mydomain.pem',
'certificate' => 'mydomain.crt',
'RelayState' => 'https://www.mydomain.com/sso/saml',
),
How can I enforce simplesaml to always use HTTPS?
psylovibe
Jan 30, 2013, 2:41:34 PM1/30/13
to simple...@googlegroups.com
It looks like the
<saml:NameID SPNameQualifier="https://www.mydomain.com/sso/saml">
<saml:Audience>https://www.mydomain.com/sso/saml</saml:Audience>
is set to https
but other attributes are http
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_02a9e0d523e6e9f1463d6be8c1ae8be6cff57fe4b9"
Version="2.0"
IssueInstant="2013-01-30T19:38:15Z"
Destination="http://www.mydomain.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
Szabó, Gyula
Jan 30, 2013, 2:50:34 PM1/30/13
to simple...@googlegroups.com
Hi,
you shoud check the endpoints in the metadata. Probably there is http instead https.
Regards:
gyufi
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
psylovibe
Jan 30, 2013, 3:16:40 PM1/30/13
to simple...@googlegroups.com, gy...@sztaki.hu
Yes It looks like this is the issue. The metadata has HTTP protocol.
How do I enforce HTTPS?
If I enforce it in the method getServerHTTPS in lib/SimpleSAML/Utilities.php the host appends :80
How do I enforce HTTPS?
If I enforce it in the method getServerHTTPS in lib/SimpleSAML/Utilities.php the host appends :80
psylovibe
Jan 30, 2013, 3:24:13 PM1/30/13
to simple...@googlegroups.com, gy...@sztaki.hu
I updated getServerPort
to remove port 80.
I guess this is the only way if my certificate is set onto the load balancer.
to remove port 80.
I guess this is the only way if my certificate is set onto the load balancer.
Olav Morken
Jan 31, 2013, 2:01:19 AM1/31/13
to simple...@googlegroups.com, gy...@sztaki.hu
On Wed, Jan 30, 2013 at 12:24:13 -0800, psylovibe wrote:
> I updated getServerPort
>
> to remove port 80.
>
> I guess this is the only way if my certificate is set onto the load
> balancer.
You should be able to configure this through the 'baseurlpath' option
> I updated getServerPort
>
> to remove port 80.
>
> I guess this is the only way if my certificate is set onto the load
> balancer.
in config.php.
Try setting it to something like:
https://www.mydomain.com/sso/
Best regards,
Olav Morken
UNINETT / Feide
Jaime Pérez Crespo
Jan 31, 2013, 3:12:52 AM1/31/13
to simple...@googlegroups.com
Hi,
On Jan 30, 2013, at 21:24 PM, psylovibe <theofan...@gmail.com> wrote:
I updated getServerPort
to remove port 80.
I guess this is the only way if my certificate is set onto the load balancer.
No, it's not. As Olav already mentioned, you can set the full URL (including https schema) in the "baseurlpath" option in config.php file. You should always avoid changing the code, as it will be harder for you to maintain and to upgrade.
But apart from that, I just wanted to seriously recommend you to configure your web setup (both load balancers and web server) the appropriate way, so that your hosts always get the schema used by the browser (either http or https). There's mechanisms like X-Forwarded-* headers to allow your hosts to get all the original information about the user's request, and you can also configure your hosts so that this is transparent for the apps. For instance, if you configure your hosts correctly, then you could configure "baseurlpath" as an absolute path (instead of an URL) and it will still work, as $_SERVER['HTTPS'] would be "on".
Regards,
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
- Robert Frost
psylovibe
Jan 31, 2013, 2:53:21 PM1/31/13
to simple...@googlegroups.com
Jamie,
Thanks so much, Yea, I want to set it up correctly. What I did was on load balancer, i set following:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
But $_SERVER['HTTPS'] is still empty string? I do See X-Forwarded-Proto to be set to https though.
How can I get HTTPS to be set to 'on' would I have to do that on application layer? If X-Forwarded-Proto isset and is https then set HTTPS to on?
Thanks so much, Yea, I want to set it up correctly. What I did was on load balancer, i set following:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
But $_SERVER['HTTPS'] is still empty string? I do See X-Forwarded-Proto to be set to https though.
How can I get HTTPS to be set to 'on' would I have to do that on application layer? If X-Forwarded-Proto isset and is https then set HTTPS to on?
Jaime Pérez Crespo
Feb 1, 2013, 10:31:42 AM2/1/13
to simple...@googlegroups.com
Hi,
On Jan 31, 2013, at 20:53 PM, psylovibe <theofan...@gmail.com> wrote:
Thanks so much, Yea, I want to set it up correctly. What I did was on load balancer, i set following:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
But $_SERVER['HTTPS'] is still empty string? I do See X-Forwarded-Proto to be set to https though.
That's normal. Neither apache nor PHP directly support these headers (btw, maybe X-Forwarded-Port might be useful too). So what you have to do is to trick them to use the X-Forwarded-* headers instead of the original environment information.
How can I get HTTPS to be set to 'on' would I have to do that on application layer? If X-Forwarded-Proto isset and is https then set HTTPS to on?
The easiest way I've found to do that is to add some code to PHP that is always executed prior to running any script. If I remember correctly, you can do that with auto_prepend_file (1) directive in php.ini. What you'll do in that code is basically look for X-Forwarded-* headers, and if present, modify $_SERVER accordingly.
Doing it this way you can ensure that all PHP applications will work fine even though they don't support X-Forwarded-* headers in a load balancing setup, and you won't need to modify any of them, with the clear advantage that means in terms of maintainability.
Regards,
Reply all
Reply to author
Forward
0 new messages