Re: SAML authentication behind traefik proxy Response Destination mismatch

Thu, 14 Sep 2023 06:46:14 -0700 

Please see the following thread:

https://lists.apache.org/thread/hvd23yylm3lr9swkqxghvwlro8nlgg95

The information there is specific to Nginx proxy, but you likely need to
update you proxy configuration to pass through additional headers that will
allow the redirect to be generated correctly.  You'll also need to make
sure the RemoteIpValve is configured in Tomcat.

-Nick

On Thu, Sep 14, 2023 at 8:19 AM Szabó, Gyula <[email protected]> wrote:

> Hi,
>
> I figured out the cause of the problem, but I can't solve it.
>
> ```
> 11:39:26.228 [http-nio-8080-exec-6] ERROR c.onelogin.saml2.authn.SamlResponse
> - The response was received at
> http://guacamole.example.com/guacamole/api/ext/saml/callback instead of
> https://guacamole.example.com/guacamole/api/ext/saml/callback
> 11:39:26.229 [http-nio-8080-exec-6] WARN  o.a.g.a.s.a.
> AssertionConsumerServiceResource - Authentication attempted with an
> invalid SAML response: SAML response did not pass validation: The response
> was received at
> http://guacamole.example.com/guacamole/api/ext/saml/callback instead of
> https://guacamole.example.com/guacamole/api/ext/saml/callback
> ```
>
> The point is the URL protocol scheme: http vs. https.
>
> The Assertion Consumption Service at the
> https://guacamole.example.com/guacamole/api/ext/saml/callback endpoint,
> but in the traefik internal service at http://guacamole-app:8080
>
>
> Traefik config:
>
> ```
> http:
>   middlewares:
>     sslheader:
>       headers:
>         customRequestHeaders:
>           X-Forwarded-Proto: "https,wss"
>   services:
>     guacamole-app:
>       loadBalancer:
>         servers:
>         - url: "http://guacamole-app:8080/";
>   routers:
>     guacamole-app:
>       rule: "Host(`guacamole.example.com`) && PathPrefix(`/guacamole`)"
>       tls:
>         certResolver: acmeresolver
>       entryPoints:
>         - websecure
>       service: "guacamole-app@file"
>       middlewares:
>         - sslheader
> ```
>
> You see I try to add the x-forwarded-proto, but not too match success.
>
> Is there anybody to run this stack with success?
>
> How can I config the gaucamole docker container to change the http to
> https in the request?
>
> Thanks a lot.
>
> Gyula
>

Reply via email to