RE: SAML message delivered with POST to incorrect server URL. with Google Cloud Load Balancer

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: SAML message delivered with POST to incorrect server URL. with Google Cloud Load Balancer

O'Quinn, Dennis

Hi, I am very new to Shibboleth and am attempting to configure it to work with Ping Identity as the IdP and Shibboleth as the SP inside of Google Cloud Platform (GCP) behind a GCP LB.  Running Shibboleth 2 on Linux and Apache 2.4

 

The will be used to authenticate users for access to SAS which is configured as HTTPS and listening on Port 8343.  The LB is listening on Port 443 and will pass data through while changing the target port to 8343 in order to reach the SAS web server.

 

When we generate the SP metadata all URLS come out as https://<saswebserver>:8343/....

 

If we use that metadata unchanged then the return posts from the IdP will be stopped at the LB since it is not listening on 8343.

 

If we change the metadata to remove 8343 or change it to 443, then we can get through the LB, but, we get the following error…

 

ERROR OpenSAML.MessageDecoder.SAML2POST [1]: POST targeted at (https://sascloud.com:443/Shibboleth.sso/SAML2/POST), but delivered to (https://sascloud.com:8343/Shibboleth.sso/SAML2/POST)

 

Note: the name of the GCP VM internal host name (i.e., the SAS Web server) is completely different from sascloud.com.  sascloud.com is simply our external/public DNS name for the LB.  The url is changed from https://sascloud.com:443/... to https://<sashostname>:8343/....  by the LB backend as it is passed into GCP.

 

Is the httpd.conf ServerName directive the only way to control this behavior and get the target and destination names to match?  Or is there a directive (or directives) that can be specified in Shibboleth2.xml that can perform the translation and allow the authentication to work and allow the user to get to their SAS GUI?

 

Thanks in advance for any guidance, Dennis




The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SAML message delivered with POST to incorrect server URL. with Google Cloud Load Balancer

Cantor, Scott E.
> Is the httpd.conf ServerName directive the only way to control this behavior
> and get the target and destination names to match?

Apache requires that be set for most  applications to run properly in an environment like that, so yes, that's the only way for Shibboleth to work since it has to be set regardless. That's a feature (you configure your web server properly and the SP just works). IIS doesn't support virtualization so the SP is forced to compensate, but Apache does so there's no reason to do anything special.

If your application functions without ServerName set, it either never generates self-referential links or it's got a bug.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SAML message delivered with POST to incorrect server URL. with Google Cloud Load Balancer

O'Quinn, Dennis
Thank you Scott, impressed with the quick turnaround...

RE: the ServerName, I was asking because that 'name' is defined all throughout SAS and it has been a *bear* getting the configuration right just for SAS relative to the LB (where the GCP 'external' name (sascloud) and port (443) has to be defined in some places and the GCP 'internal' name/port (<sashostname>/8343) has to be defined in others (many places in both cases).  Since SAS is hosting its own web server, I wasn't comfortable changing that setting (currently the internal name/port) for fear it would break SAS....

So, since we will have to use the 'external' name/port, I will give that a try and see if it still works...

If it will help you and the community, I will post back what I did when I get it working.

Thanks much, D

Dennis O'Quinn | EDW Infrastructure Engineering | NAE115H @ 2250 MTC
The Home Depot | Marietta Technology Center | 2250 Newmarket Parkway | Marietta, GA  30067
M: Direct: 470.689.4513 | Cell: 470.658.1183 | Internal: 24513
e: [hidden email]




-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Thursday, May 31, 2018 9:08 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] RE: SAML message delivered with POST to incorrect server URL. with Google Cloud Load Balancer

> Is the httpd.conf ServerName directive the only way to control this
> behavior and get the target and destination names to match?

Apache requires that be set for most  applications to run properly in an environment like that, so yes, that's the only way for Shibboleth to work since it has to be set regardless. That's a feature (you configure your web server properly and the SP just works). IIS doesn't support virtualization so the SP is forced to compensate, but Apache does so there's no reason to do anything special.

If your application functions without ServerName set, it either never generates self-referential links or it's got a bug.

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=kP5AQYgmcluekYHX1y1AatSwkecj18Qnb1_gN27kEMs&s=pzAYH6S4SRbEIaLco0-kJhYphQG_dIegYXJXVmR42T0&e=
To unsubscribe from this list send an email to [hidden email]

________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its at
 tachment.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SAML message delivered with POST to incorrect server URL. with Google Cloud Load Balancer

O'Quinn, Dennis
In reply to this post by Cantor, Scott E.
Hi Scott (et al), I was able to add ServerAlias for the desired name in my httpd-ssl.conf file and get it to work once I removed the 443 port reference from my URLS in my metadata.  Interestingly, I was unable to 'add' port 443 to my name on the SP end via that ServerAlias directive, or even the ServerName directive.  I would only able to 'remove' all port references.

Thanks, for the help

D


-----Original Message-----
From: users <[hidden email]> On Behalf Of Cantor, Scott
Sent: Thursday, May 31, 2018 9:08 PM
To: Shib Users <[hidden email]>
Subject: [EXTERNAL] RE: SAML message delivered with POST to incorrect server URL. with Google Cloud Load Balancer

> Is the httpd.conf ServerName directive the only way to control this
> behavior and get the target and destination names to match?

Apache requires that be set for most  applications to run properly in an environment like that, so yes, that's the only way for Shibboleth to work since it has to be set regardless. That's a feature (you configure your web server properly and the SP just works). IIS doesn't support virtualization so the SP is forced to compensate, but Apache does so there's no reason to do anything special.

If your application functions without ServerName set, it either never generates self-referential links or it's got a bug.

-- Scott

--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=MtgQEAMQGqekjTjiAhkudQ&r=mn6DeBt1nj8Oqx06pdIK0_n5EfK6FeVHgdjBNpchyro&m=kP5AQYgmcluekYHX1y1AatSwkecj18Qnb1_gN27kEMs&s=pzAYH6S4SRbEIaLco0-kJhYphQG_dIegYXJXVmR42T0&e=
To unsubscribe from this list send an email to [hidden email]

________________________________

The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its at
 tachment.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]